Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain.
dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only "Write Property" The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G "domain\user:WP" Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the "Add/Remove self as member" permission. Sort of like dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Or through a script. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
