Delegation to create/delete OUs

Hi,

I am trying to delegate the creation/deletion of OUs in a sub OU.  I have gone through the delegation wizard where I have selected "Organization Unit objects" and checked "create selected objects in this folder" and "delete selected objects in this folder", on the permissions page I selected "Create Organizational Unit objects" and "Delete Organizational Unit objects".  This allows the delegates to create and delete OUs.  However the "Protect container from accidental deletion" is greyed out and unchecked (waiting to upload a screenshot)

I'd like to give the delegates the ability to toggle this check mark on or off.  When an administrator creates an OU the box for "Protect container from accidental deletion" is enabled and it is always checked.  Please advise on how to get this check box enabled for our delegates.

Thanks,
Chris

June 25th, 2015 9:54am
> I'd like to give the delegates the ability to toggle this check mark on > or off.  When an administrator creates an OU the box for "Protect > container from accidental deletion" is enabled and it is always checked. >   Please advise on how to get this check box enabled for our delegates.   This check box is not represented by an attribute change, but by an ACL entry for everyone, denying "Delete", "Delete subtree" and "Delete all Child objects". The dsa UI evaluates this ACL and if present, enables the check box.   https://technet.microsoft.com/library/cc736842.aspx   If you want to delegate this, you might need to delegate "Read Permissions" and "Modify Permission".    
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2015 10:26am

Thanks Martin,

When I gave the delegate "Modify Permission" the check box became enabled (read permission was not enough).  This might be too much permission for the delegate now, but at least we know what the fix is for the check box.

Chris

June 25th, 2015 10:50am

Hi Potzy,

I'm glad to hear to you know how to fix the check box. And also thanks Martin for the simple explanation.

You need to manaully remove "prevent object from accidental deletion" there is no way to delegate the same.

http://policelli.com/blog/archive/2008/06/18/protect-ad-ds-objects-from-accidental-deletion/

Also it is not good practice to delegate groups of user to perform above mentioned AD activity. It is also recommend to enable auditing to track the activities carried out by the users.

https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Best Regards,

Mary Dong

Free Windows Admin Tool Kit Click here and download it now
June 25th, 2015 10:05pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics