Please can you offer any advice if possible to prevent AD department administrators (not domain admins) who create groups in their respective OUs from gaining FULL ACCESS permissions on the Group objects that they create. Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

Hello, Since they create the groups, they automatically becames owner and thus full priv on the groupIsaac Oben MCITP:EA, MCSE

hi there, thanks for that i thought as much, do you know if there is away around this, maybe changing ( removing ) something like createrowner ( prob not the right one like but just an idea ) any thought would be most welcomeHappy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

Hi, You can also modify the permission on the respective OUs to achieve your goal: 1. Grant department administrators the permission to create objects in the OU only 2. Deny the department administrators to modify (or any other fine grained permissions) the objects in the OU. Then a department administrator will be able to create objects but not more other permissions because explicit deny permission will overwrite explicit allow.

hi there thank you for your reply. I’ve tried your suggestion, however the department admin can still override the permissions by removing the “inherit permissions fro parent” and remove the “deny” permissions. Can we prevent creator owners from doing this?Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

any ideas ???Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

hmmmm any ideas any one ????Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

to add to the above then as still no help on this one if you have group ( called admingroup) this is used to allow certain users to create groups within one OU you delgate rites to allow the users to create delete and modify when a group is created they have of course full pivliges over that group if on the OU you put a deny on so that the group admins have the description field in AD greyed out so they cant make changes to it at this moment in time these users can create groups etc but they dont have access to change the description field. if a user then goes int othe permissions they can get to the inhertence check box, if they remove this, copy and replace the permissions, they will then be aloud to remove that deny and so then be able to make a change to the description field ( which we dont want them to do ) how can we stop them beeing able to remove the inhertance check box to stop them beeing able to remove the deny permissionsHappy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

can any help me ??? i can provide a walk through if that helps Help any one ?????Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***

An option for you is to uncheck the inheritance box and then give permissions per group/OU basisIsaac Oben MCITP:EA, MCSE

The issue appears to be caused because by default/design Creators (owners) of an Object have full control over the permissions of the Object. Also, by design owners of the obect can modify permissions even when denied all access to the object. The solution is simple 1) CHANGE the OWNER of the object to another set of users....i.e. Administrators. The simple solution is to use DSACLS to change ownership. You could script this to run once an hour, day, or as needed to reset the group ownership. http://support.microsoft.com/kb/281146 2) Then change permissions as desired to grant only the appropriate level of access. This can also be done via the DSACLS script. Read the following for more information on Ownership in AD and NTFS. How to allow assignment of Ownership without being a Local Administrator http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20allow%20assignment%20of%20Ownership%20without%20being%20a%20Local%20Administrator.aspx Creator Owner Explained http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx

thank you very much all for your help in the end what we wanted to be able to do could not be done due to the right the andministrator had, because of this we are installing 2008 server which allowauditing at attrribute level and so we can see who changing what this in its self is causing a few issue but we are working on them thank you all for you help Happy to help but hey im only human im not always right !! This posting is provided AS IS ***If your not living on the edge, your taking up to much space***