|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
eLINIA
Guest
|
 Posted: Wed Oct 31, 2007 2:15 pm Post subject: child OU permissions |
 |
|
I have modified the permissions on an OU to exclude authenticated users,
account and print operators. However when I create a child OU under this OU,
authenticated users, account and print operators are added to the DACL. How
can I stop these permissions being added to further child OU’s that will be
created under this OU?” |
|
| Back to top |
|
 |
|
|
Steve B
Guest
|
| Posted: Wed Oct 31, 2007 2:15 pm Post subject: RE: child OU permissions |
|
|
When a new Active Directory object is created, the permissions that are
specified in the DefaultSecurityDescriptor attribute of its classSchema
object in the schema are applied to it.
Take a look at the following KB article:
http://support.microsoft.com/default.aspx/kb/321476
Whilst this applies to GPOs, the same principle applies to OUs. You will
need to update the SecurityDesciptor on the CN=Organizational-Unit
classSchema object.
NOTE: Take care - test it first in a lab since it will effect all future
OU's (not just the one's being created underneath the child OU)!!!
Why are you are trying to exclude authenticated users, account and print
operators. There may be a better way of doing it.
"eLINIA" wrote:
| Quote: | I have modified the permissions on an OU to exclude authenticated users,
account and print operators. However when I create a child OU under this OU,
authenticated users, account and print operators are added to the DACL. How
can I stop these permissions being added to further child OU’s that will be
created under this OU?” |
|
|
| Back to top |
|
|
|
|
