Alternatives to grabbing ownership would be to make yourself an account operator and add yourself to test1; spawning a process as localsystem and adding yourself to test1.
Note that the test1admins would also have to remove builtin/administrators access as well or else ent and dom admins will have access. However if I ran an AD and someone removed domain admins like that I think I would pop the grouptype of their admin group and make it a DL just to prove a point to them. All removing ent/domain admins does is give a false sense of security. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Monday, February 07, 2005 1:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Fun with delegated permissions. If Domain Admins is the owner of Test1, then they can change permissions on the OU. If Domain Admins is not the owner of Test1, you'll have to grab that first. Right-click the OU, go to Properties, Security, Advanced, click on the Owner tab, and grab ownership. Hunter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, February 07, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Fun with delegated permissions. (Gotta get out of the habit of ending my subject lines with ellipses so that Deji's webmail will be able to open them.) Hello all, Playing with a situation in a break-and-fix test lab and am looking for the...fix: 1. I'm a Domain admin for mycompany.com. I create an OU called Test1, that contains a security group called Test1Admins. 2. I then run Delegation of Authority and grant Test1Admins Full Control over the entire OU. 3. Someone in Test1Admins removes Domain Admins/Enterprise Admins permissions to the entire OU. 4. Every single member of Test1Admins gets killed in a strange bass-fishing accident, and now the Domain Admins need to re-exert control over this "orphaned" OU. I could swear I've read how to fix this somewhere, but I'm not coming up with it. Thanks! Laura List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
