Yeah, I'm not in love with the more cumbersome security tab in the newer UI.
WRT the original question, we do some computer object ACL modification. See http://www.netid.washington.edu/documentation/delegPerms.aspx for our public documentation of the configuration related to that. The use case is to enable delegated computer administration in a shared domain. From: [email protected] [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, June 3, 2015 8:05 AM To: [email protected] Subject: [adgpo] RE: Security Tab on Computer Objects And to expand on that, I have for example, an AD group that has some specific delegation for working with computer account objects. On the OU, I change the dropdown to only computer objects, and then select the properties needed. Specifically, it's for our repair techs and they get "reset password" and the ability to add/delete the objects (where delegated). BTW, I had to do this again recently for a new ou (we have new construction going on) and I absolutely HATE what they did in 2012 with the interface. Makes it really cumbersome. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of [email protected]<mailto:[email protected]> Sent: Tuesday, June 2, 2015 10:42 AM To: [email protected]<mailto:[email protected]> Subject: [adgpo] RE: Security Tab on Computer Objects Usually you would modify the ACL of the OU the object is in, for delegating permissions. You can go down to the computer object level though, for joining to the domain for example. Or allowing a service account to update certain attributes on specific objects. ________________________________ From: [email protected]<mailto:[email protected]> [[email protected]] on behalf of Matthew Topper [[email protected]] Sent: Tuesday, May 26, 2015 9:49 AM To: [email protected]<mailto:[email protected]> Subject: [adgpo] Security Tab on Computer Objects I'm not trying to accomplish anything specific, but I thought I'd ask this out of curiosity: Under what circumstances would you need to modify the ACL of a computer object? Is it any different for domain controllers? Matthew Topper
