Agreed. I can't imagine a way to have that kind of "isolated OU" the way Active Directory is currently laid out - I'm seeing the words "security boundary" and "new forest" in my head before I get even three seconds into the thought. Though it would certainly solve the problem of wanting to create that type of isolation without needing to set up a separate forest (with the associated separate namespace), either for security reasons (R&D) or political (this department wants to run their own boxes) ones.
Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Monday, February 07, 2005 1:36 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Fun with delegated permissions. > > Honestly, I wouldn't mind if that nasty method was available > in AD. Then > when you kicked out admins, it really meant they were kicked > out. They call > that security versus false sense of security. The whole > creator/owner thing > is a giant get out of jail free card but it can be used for > or against you. > > Maybe they should allow that get out of jail free, but it > requires some > super duper method to do it that an admin can't go off in a corner and > quickly and easily do. > > Obviously that won't happen even in the Longhorn Time Frame > as it would > require a very large change in the ACL paradigm currently in place. > > joe > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/