RE: [ActiveDir] account operators
Anytime a proxied account is being used, whatever automated system is using it in the background absolutely needs to be logging everything it does. It really is the better way to get logging because native logging in AD of people making changes with native rights is not optimal and if you enable enough logging can severely impact your environment. No one, and I mean NO ONE, should know the password of the proxied account. It should be some incredibly painful nasty long password and in fact, it would be great if the system using the password actually changed it weekly to some other nasty painful version and didn't tell anyone what it is. Then maybe set up a native auditing on that proxy account object to see if some admin comes in and resets that password. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators We're using ActiveRoles, too, and I like it a lot. The problem with a proxied account these days is that auditors want to know who did what and being able to pin it down to some service account acting as account operator doesn't quite cut it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Better Administration through Active Directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, August 12, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators >Has anyone used shim products like NetIQ DRA? > I've used it previously when it was a product from Mission Critical We used it extensively in the NT days when it was Enterprise Administrator and liked it very much. DRA was a wholesale flop here and we replaced it with Active Roles as soon as we could get it past the bean counters. That was several years ago and the product may have improved substantially but the original offering after the acquisition was extremely unpopular here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I remember reading something alluding to this on built-in groups in general... can't remember where (maybe it was joe), but the general principal was that if you utilise any of the built-in 'service' groups, elevating permissions with these legacy groups is generally a fairly easy thing to do for anyone with a bit of curiosity, determination and perhaps ill-intent. Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical... these just proxy changes to AD and empower ordinary domain users through the customer tools and (proxied) interfaces. I realise there are shortcomings... a domain admin is a domain admin after all but i'm interested in hearing comments. Cheers Mylo Rick Kingslan wrote: >joe - no need to apologize. You're absolutely correct. Once I read your >e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to >go look to satisfy my curiosity. > >Honestly, what I saw scared me to a great degree. AO does have full and >complete access to any user object and property - period. AO may not be >able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the >scripted CDOEXM, but any other interface that will allow manipulation of the >objects *IS*possible - and that revelation is quite shocking, to say the >least. > >For anyone that wants to duplicate what I did - make use of a resource that >is right at your finger tips. Don't go poking around your production >systems. And, even if you don't have Exchange, you can still check this >out. Make use of the TechNet Virtual Labs for checking things out and >determining if an idea will work - with no setup costs at all. Find a lab >that has the components that you need, and party on. The labs are not >restricted to allowing you to do only what the lab is designed for. You can >do practically anything you want - sometimes including adding in extra >Windows and Server System components. > >Find the Virtual Servers at: > >http://microsoft.demoservers.com > >Thanks, joe - for calling this to my attention and correcting my 'rosy >security' view of separation of duties when it comes to Exchange. It's not >as it appears - or as many writers have written. > > > >-----Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, August 12,
RE: [ActiveDir] account operators
We're using ActiveRoles, too, and I like it a lot. The problem with a proxied account these days is that auditors want to know who did what and being able to pin it down to some service account acting as account operator doesn't quite cut it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Better Administration through Active Directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Free, Bob Sent: Friday, August 12, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators >Has anyone used shim products like NetIQ DRA? > I've used it previously when it was a product from Mission Critical We used it extensively in the NT days when it was Enterprise Administrator and liked it very much. DRA was a wholesale flop here and we replaced it with Active Roles as soon as we could get it past the bean counters. That was several years ago and the product may have improved substantially but the original offering after the acquisition was extremely unpopular here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I remember reading something alluding to this on built-in groups in general... can't remember where (maybe it was joe), but the general principal was that if you utilise any of the built-in 'service' groups, elevating permissions with these legacy groups is generally a fairly easy thing to do for anyone with a bit of curiosity, determination and perhaps ill-intent. Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical... these just proxy changes to AD and empower ordinary domain users through the customer tools and (proxied) interfaces. I realise there are shortcomings... a domain admin is a domain admin after all but i'm interested in hearing comments. Cheers Mylo Rick Kingslan wrote: >joe - no need to apologize. You're absolutely correct. Once I read your >e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to >go look to satisfy my curiosity. > >Honestly, what I saw scared me to a great degree. AO does have full and >complete access to any user object and property - period. AO may not be >able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the >scripted CDOEXM, but any other interface that will allow manipulation of the >objects *IS*possible - and that revelation is quite shocking, to say the >least. > >For anyone that wants to duplicate what I did - make use of a resource that >is right at your finger tips. Don't go poking around your production >systems. And, even if you don't have Exchange, you can still check this >out. Make use of the TechNet Virtual Labs for checking things out and >determining if an idea will work - with no setup costs at all. Find a lab >that has the components that you need, and party on. The labs are not >restricted to allowing you to do only what the lab is designed for. You can >do practically anything you want - sometimes including adding in extra >Windows and Server System components. > >Find the Virtual Servers at: > >http://microsoft.demoservers.com > >Thanks, joe - for calling this to my attention and correcting my 'rosy >security' view of separation of duties when it comes to Exchange. It's not >as it appears - or as many writers have written. > > > >-Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, August 12, 2005 12:00 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] account operators > >Sorry Rick, I have to correct you on this one. > >An account operator absolutely has enough rights to mailbox enable a user. >AccOps by default have FC over user objects, they can do ANYTHING to a user >they want to. The key is they have to know how to. You could for instance >use admod or ldifde or adsiedit or anything that allows you to update >mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also >I think you can do mailNickname and msExchHomeServerName. > >The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is >because the tools are written to enumerate Exchange config info which an >AccOp doesn't have access to. I don't know if it was intended as a security >feature or not but it is how it works. I wouldn't be surprised if it was a >security feature because it aligns with some other
RE: [ActiveDir] account operators
>Has anyone used shim products like NetIQ DRA? > I've used it previously when it was a product from Mission Critical We used it extensively in the NT days when it was Enterprise Administrator and liked it very much. DRA was a wholesale flop here and we replaced it with Active Roles as soon as we could get it past the bean counters. That was several years ago and the product may have improved substantially but the original offering after the acquisition was extremely unpopular here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I remember reading something alluding to this on built-in groups in general... can't remember where (maybe it was joe), but the general principal was that if you utilise any of the built-in 'service' groups, elevating permissions with these legacy groups is generally a fairly easy thing to do for anyone with a bit of curiosity, determination and perhaps ill-intent. Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical... these just proxy changes to AD and empower ordinary domain users through the customer tools and (proxied) interfaces. I realise there are shortcomings... a domain admin is a domain admin after all but i'm interested in hearing comments. Cheers Mylo Rick Kingslan wrote: >joe - no need to apologize. You're absolutely correct. Once I read your >e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to >go look to satisfy my curiosity. > >Honestly, what I saw scared me to a great degree. AO does have full and >complete access to any user object and property - period. AO may not be >able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the >scripted CDOEXM, but any other interface that will allow manipulation of the >objects *IS*possible - and that revelation is quite shocking, to say the >least. > >For anyone that wants to duplicate what I did - make use of a resource that >is right at your finger tips. Don't go poking around your production >systems. And, even if you don't have Exchange, you can still check this >out. Make use of the TechNet Virtual Labs for checking things out and >determining if an idea will work - with no setup costs at all. Find a lab >that has the components that you need, and party on. The labs are not >restricted to allowing you to do only what the lab is designed for. You can >do practically anything you want - sometimes including adding in extra >Windows and Server System components. > >Find the Virtual Servers at: > >http://microsoft.demoservers.com > >Thanks, joe - for calling this to my attention and correcting my 'rosy >security' view of separation of duties when it comes to Exchange. It's not >as it appears - or as many writers have written. > > > >-Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Friday, August 12, 2005 12:00 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] account operators > >Sorry Rick, I have to correct you on this one. > >An account operator absolutely has enough rights to mailbox enable a user. >AccOps by default have FC over user objects, they can do ANYTHING to a user >they want to. The key is they have to know how to. You could for instance >use admod or ldifde or adsiedit or anything that allows you to update >mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also >I think you can do mailNickname and msExchHomeServerName. > >The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is >because the tools are written to enumerate Exchange config info which an >AccOp doesn't have access to. I don't know if it was intended as a security >feature or not but it is how it works. I wouldn't be surprised if it was a >security feature because it aligns with some other silly tool bases security >MS did before like for instance being unable to view the admins group from >usermgr if you weren't an admin but if you knew other mechanisms you could >still do it... Or the GUI not listing hidden shares even though the server >sends that info back to the clients requesting the info. > > > >The permissioning model of Exchange, especially in AD, quite frankly, sucks >ass. It does almost everything it can to make it a pain in the butt to >separate administration between AD/NOS stuff and Exchange stuff. Instead of >using the mail property set or creating their own they glommed onto the base >property sets. In order to do any separation you either have to change the >prope
Re: [ActiveDir] account operators
I remember reading something alluding to this on built-in groups in general... can't remember where (maybe it was joe), but the general principal was that if you utilise any of the built-in 'service' groups, elevating permissions with these legacy groups is generally a fairly easy thing to do for anyone with a bit of curiosity, determination and perhaps ill-intent. Has anyone used shim products like NetIQ DRA? I've used it previously when it was a product from Mission Critical... these just proxy changes to AD and empower ordinary domain users through the customer tools and (proxied) interfaces. I realise there are shortcomings... a domain admin is a domain admin after all but i'm interested in hearing comments. Cheers Mylo Rick Kingslan wrote: joe - no need to apologize. You're absolutely correct. Once I read your e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to go look to satisfy my curiosity. Honestly, what I saw scared me to a great degree. AO does have full and complete access to any user object and property - period. AO may not be able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the scripted CDOEXM, but any other interface that will allow manipulation of the objects *IS*possible - and that revelation is quite shocking, to say the least. For anyone that wants to duplicate what I did - make use of a resource that is right at your finger tips. Don't go poking around your production systems. And, even if you don't have Exchange, you can still check this out. Make use of the TechNet Virtual Labs for checking things out and determining if an idea will work - with no setup costs at all. Find a lab that has the components that you need, and party on. The labs are not restricted to allowing you to do only what the lab is designed for. You can do practically anything you want - sometimes including adding in extra Windows and Server System components. Find the Virtual Servers at: http://microsoft.demoservers.com Thanks, joe - for calling this to my attention and correcting my 'rosy security' view of separation of duties when it comes to Exchange. It's not as it appears - or as many writers have written. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 12, 2005 12:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators Sorry Rick, I have to correct you on this one. An account operator absolutely has enough rights to mailbox enable a user. AccOps by default have FC over user objects, they can do ANYTHING to a user they want to. The key is they have to know how to. You could for instance use admod or ldifde or adsiedit or anything that allows you to update mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also I think you can do mailNickname and msExchHomeServerName. The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is because the tools are written to enumerate Exchange config info which an AccOp doesn't have access to. I don't know if it was intended as a security feature or not but it is how it works. I wouldn't be surprised if it was a security feature because it aligns with some other silly tool bases security MS did before like for instance being unable to view the admins group from usermgr if you weren't an admin but if you knew other mechanisms you could still do it... Or the GUI not listing hidden shares even though the server sends that info back to the clients requesting the info. The permissioning model of Exchange, especially in AD, quite frankly, sucks ass. It does almost everything it can to make it a pain in the butt to separate administration between AD/NOS stuff and Exchange stuff. Instead of using the mail property set or creating their own they glommed onto the base property sets. In order to do any separation you either have to change the property sets and hear cries of unsupported from PSS or you have to put in a ton of ACEs or a half a ton of ACEs including a bunch of denies. Most admins haven't the foggiest clue how much access they have given away in AD to people. I have fielded many a question on how come some admin can send mail as someone or get access to read mail for other users or mailbox enable users, or how can so and so change mailbox quotes, etc etc. A common delegation in AD is to give full control over user objects or allow low level admins to create users. This is fine (well not really fine...) in a NOS directory, but once you add Exchange to it those folks have a lot more power, probably unintended power, over the mail system than was probably intended. The best answer from a permission standpoint of protecting Exchange from AD folks or protecting AD from Exchange folks is the dedicated Exchange Resource Forest. If you do that and keep to a single domain in that forest
RE: [ActiveDir] account operators
joe - no need to apologize. You're absolutely correct. Once I read your e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to go look to satisfy my curiosity. Honestly, what I saw scared me to a great degree. AO does have full and complete access to any user object and property - period. AO may not be able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the scripted CDOEXM, but any other interface that will allow manipulation of the objects *IS*possible - and that revelation is quite shocking, to say the least. For anyone that wants to duplicate what I did - make use of a resource that is right at your finger tips. Don't go poking around your production systems. And, even if you don't have Exchange, you can still check this out. Make use of the TechNet Virtual Labs for checking things out and determining if an idea will work - with no setup costs at all. Find a lab that has the components that you need, and party on. The labs are not restricted to allowing you to do only what the lab is designed for. You can do practically anything you want - sometimes including adding in extra Windows and Server System components. Find the Virtual Servers at: http://microsoft.demoservers.com Thanks, joe - for calling this to my attention and correcting my 'rosy security' view of separation of duties when it comes to Exchange. It's not as it appears - or as many writers have written. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 12, 2005 12:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators Sorry Rick, I have to correct you on this one. An account operator absolutely has enough rights to mailbox enable a user. AccOps by default have FC over user objects, they can do ANYTHING to a user they want to. The key is they have to know how to. You could for instance use admod or ldifde or adsiedit or anything that allows you to update mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also I think you can do mailNickname and msExchHomeServerName. The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is because the tools are written to enumerate Exchange config info which an AccOp doesn't have access to. I don't know if it was intended as a security feature or not but it is how it works. I wouldn't be surprised if it was a security feature because it aligns with some other silly tool bases security MS did before like for instance being unable to view the admins group from usermgr if you weren't an admin but if you knew other mechanisms you could still do it... Or the GUI not listing hidden shares even though the server sends that info back to the clients requesting the info. The permissioning model of Exchange, especially in AD, quite frankly, sucks ass. It does almost everything it can to make it a pain in the butt to separate administration between AD/NOS stuff and Exchange stuff. Instead of using the mail property set or creating their own they glommed onto the base property sets. In order to do any separation you either have to change the property sets and hear cries of unsupported from PSS or you have to put in a ton of ACEs or a half a ton of ACEs including a bunch of denies. Most admins haven't the foggiest clue how much access they have given away in AD to people. I have fielded many a question on how come some admin can send mail as someone or get access to read mail for other users or mailbox enable users, or how can so and so change mailbox quotes, etc etc. A common delegation in AD is to give full control over user objects or allow low level admins to create users. This is fine (well not really fine...) in a NOS directory, but once you add Exchange to it those folks have a lot more power, probably unintended power, over the mail system than was probably intended. The best answer from a permission standpoint of protecting Exchange from AD folks or protecting AD from Exchange folks is the dedicated Exchange Resource Forest. If you do that and keep to a single domain in that forest you also get away from all of the nasty DSACCESS issues to boot around user and group updates from outlook. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators >> why can't they create a mailbox for a regular user? Simply, the Account Operator is designed to work as a principal that allows work on accounts as they are BY DEFAULT out of Windows Server. The real reason is that there is typically, in most medium to large organizations, there is a mail admin team and a server admin team (at least it was VERY much this way with Exch 5.5). Separation of the functions was a goal to carry forwar
RE: [ActiveDir] account operators
Sorry Rick, I have to correct you on this one. An account operator absolutely has enough rights to mailbox enable a user. AccOps by default have FC over user objects, they can do ANYTHING to a user they want to. The key is they have to know how to. You could for instance use admod or ldifde or adsiedit or anything that allows you to update mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also I think you can do mailNickname and msExchHomeServerName. The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is because the tools are written to enumerate Exchange config info which an AccOp doesn't have access to. I don't know if it was intended as a security feature or not but it is how it works. I wouldn't be surprised if it was a security feature because it aligns with some other silly tool bases security MS did before like for instance being unable to view the admins group from usermgr if you weren't an admin but if you knew other mechanisms you could still do it... Or the GUI not listing hidden shares even though the server sends that info back to the clients requesting the info. The permissioning model of Exchange, especially in AD, quite frankly, sucks ass. It does almost everything it can to make it a pain in the butt to separate administration between AD/NOS stuff and Exchange stuff. Instead of using the mail property set or creating their own they glommed onto the base property sets. In order to do any separation you either have to change the property sets and hear cries of unsupported from PSS or you have to put in a ton of ACEs or a half a ton of ACEs including a bunch of denies. Most admins haven't the foggiest clue how much access they have given away in AD to people. I have fielded many a question on how come some admin can send mail as someone or get access to read mail for other users or mailbox enable users, or how can so and so change mailbox quotes, etc etc. A common delegation in AD is to give full control over user objects or allow low level admins to create users. This is fine (well not really fine...) in a NOS directory, but once you add Exchange to it those folks have a lot more power, probably unintended power, over the mail system than was probably intended. The best answer from a permission standpoint of protecting Exchange from AD folks or protecting AD from Exchange folks is the dedicated Exchange Resource Forest. If you do that and keep to a single domain in that forest you also get away from all of the nasty DSACCESS issues to boot around user and group updates from outlook. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators >> why can't they create a mailbox for a regular user? Simply, the Account Operator is designed to work as a principal that allows work on accounts as they are BY DEFAULT out of Windows Server. The real reason is that there is typically, in most medium to large organizations, there is a mail admin team and a server admin team (at least it was VERY much this way with Exch 5.5). Separation of the functions was a goal to carry forward - but it could only be done by Group membership / permissions on attributes. If you take a look at the Advanced Security properties of a user, and drill in to the permissions granted to the AO, you're going to find that the permission for the Exchange functions are not granted. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators thats what i thought but then it would make sense that AO group would be able to set that attrib on a user they have full control over. why can't they create a mailbox for a regular user? thanks as always, rick On 8/11/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > No, not the store - it's a bit of a misnomer that to create a mailbox > you need to have permissions to the store. > > If you can create the mailbox attributes on the user account, the > first time > that a mail message is delivered to the newly mailbox-enabled user, > the actual storage area on the store is created. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 9:57 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would > include exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exch
RE: [ActiveDir] account operators
>> why can't they create a mailbox for a regular user? Simply, the Account Operator is designed to work as a principal that allows work on accounts as they are BY DEFAULT out of Windows Server. The real reason is that there is typically, in most medium to large organizations, there is a mail admin team and a server admin team (at least it was VERY much this way with Exch 5.5). Separation of the functions was a goal to carry forward - but it could only be done by Group membership / permissions on attributes. If you take a look at the Advanced Security properties of a user, and drill in to the permissions granted to the AO, you're going to find that the permission for the Exchange functions are not granted. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators thats what i thought but then it would make sense that AO group would be able to set that attrib on a user they have full control over. why can't they create a mailbox for a regular user? thanks as always, rick On 8/11/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > No, not the store - it's a bit of a misnomer that to create a mailbox you > need to have permissions to the store. > > If you can create the mailbox attributes on the user account, the first time > that a mail message is delivered to the newly mailbox-enabled user, the > actual storage area on the store is created. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 9:57 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would > include exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exchange View Only Admin permissions (or higher). > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Thursday, August 11, 2005 8:27 AM > > To: activedirectory > > Subject: [ActiveDir] account operators > > > > is there any reason an account operator could create a user but not a > > mailbox for that user? > > > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] account operators
thats what i thought but then it would make sense that AO group would be able to set that attrib on a user they have full control over. why can't they create a mailbox for a regular user? thanks as always, rick On 8/11/05, Rick Kingslan <[EMAIL PROTECTED]> wrote: > No, not the store - it's a bit of a misnomer that to create a mailbox you > need to have permissions to the store. > > If you can create the mailbox attributes on the user account, the first time > that a mail message is delivered to the newly mailbox-enabled user, the > actual storage area on the store is created. > > Rick > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 9:57 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would > include exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exchange View Only Admin permissions (or higher). > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Thursday, August 11, 2005 8:27 AM > > To: activedirectory > > Subject: [ActiveDir] account operators > > > > is there any reason an account operator could create a user but not a > > mailbox for that user? > > > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
Because, by default, the AO does not have permissions over Exchange attributes. These need to be assigned separately. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators i plan on getting rid of it. my question is really for my own knowldge. if homeMDB and mailNickname are parts of a user attrib and AO has full control on that user by default, why can't they set a mailbox via ADUC? I guess ADUC uses CDOEXM? also, is it a good idea not to use Backup Operators and the other Builtin groups? Thanks On 8/11/05, joe <[EMAIL PROTECTED]> wrote: > Strictly speaking, anyone who has the ability to set mailNickname and > homeMDB can create a mailbox. However... It depends on the tool being used. > Most tools, especially anything that uses CDOEXM or emulates CDOEXM > explicitly, will require Exchange View access to look up the homeMDB URL. If > you use LDIF or admod or anything else that can directly update those > attributes mentioned above, you are good to go. > > That being said, while you are new and making changes, take away account op > rights. It is a pain to clean up later and you run into issues with > adminsdholder when people try to reset each others passwords etc. Acc Ops is > there simply for the migration from NT to AD. After that you should go to > delegated IDs. > > joe > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 10:57 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would include > exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exchange View Only Admin permissions (or higher). > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Thursday, August 11, 2005 8:27 AM > > To: activedirectory > > Subject: [ActiveDir] account operators > > > > is there any reason an account operator could create a user but not a > > mailbox for that user? > > > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
No, not the store - it's a bit of a misnomer that to create a mailbox you need to have permissions to the store. If you can create the mailbox attributes on the user account, the first time that a mail message is delivered to the newly mailbox-enabled user, the actual storage area on the store is created. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > I expect they lack Exchange View Only Admin permissions (or higher). > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 8:27 AM > To: activedirectory > Subject: [ActiveDir] account operators > > is there any reason an account operator could create a user but not a > mailbox for that user? > > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] account operators
i plan on getting rid of it. my question is really for my own knowldge. if homeMDB and mailNickname are parts of a user attrib and AO has full control on that user by default, why can't they set a mailbox via ADUC? I guess ADUC uses CDOEXM? also, is it a good idea not to use Backup Operators and the other Builtin groups? Thanks On 8/11/05, joe <[EMAIL PROTECTED]> wrote: > Strictly speaking, anyone who has the ability to set mailNickname and > homeMDB can create a mailbox. However... It depends on the tool being used. > Most tools, especially anything that uses CDOEXM or emulates CDOEXM > explicitly, will require Exchange View access to look up the homeMDB URL. If > you use LDIF or admod or anything else that can directly update those > attributes mentioned above, you are good to go. > > That being said, while you are new and making changes, take away account op > rights. It is a pain to clean up later and you run into issues with > adminsdholder when people try to reset each others passwords etc. Acc Ops is > there simply for the migration from NT to AD. After that you should go to > delegated IDs. > > joe > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 10:57 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] account operators > > I thought AO had complete rights to the user object which would include > exchange attribs. > i guess they still need rights to the store? > is that it? > thanks > > On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > > I expect they lack Exchange View Only Admin permissions (or higher). > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: Thursday, August 11, 2005 8:27 AM > > To: activedirectory > > Subject: [ActiveDir] account operators > > > > is there any reason an account operator could create a user but not a > > mailbox for that user? > > > > thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
Strictly speaking, anyone who has the ability to set mailNickname and homeMDB can create a mailbox. However... It depends on the tool being used. Most tools, especially anything that uses CDOEXM or emulates CDOEXM explicitly, will require Exchange View access to look up the homeMDB URL. If you use LDIF or admod or anything else that can directly update those attributes mentioned above, you are good to go. That being said, while you are new and making changes, take away account op rights. It is a pain to clean up later and you run into issues with adminsdholder when people try to reset each others passwords etc. Acc Ops is there simply for the migration from NT to AD. After that you should go to delegated IDs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > I expect they lack Exchange View Only Admin permissions (or higher). > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 8:27 AM > To: activedirectory > Subject: [ActiveDir] account operators > > is there any reason an account operator could create a user but not a > mailbox for that user? > > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
Yes. Regardless of the rights they have on the user object, they will also need rights within Exchange (or proxied rights via a web page or provisioning code). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > I expect they lack Exchange View Only Admin permissions (or higher). > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 8:27 AM > To: activedirectory > Subject: [ActiveDir] account operators > > is there any reason an account operator could create a user but not a > mailbox for that user? > > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] account operators
I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter <[EMAIL PROTECTED]> wrote: > I expect they lack Exchange View Only Admin permissions (or higher). > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: Thursday, August 11, 2005 8:27 AM > To: activedirectory > Subject: [ActiveDir] account operators > > is there any reason an account operator could create a user but not a > mailbox for that user? > > thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators and admins
Thanks Bob, looks like that’s what’s happening From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 20, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] account operators and admins google for adminsdholder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, July 20, 2004 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] account operators and admins Is there a built-in mechanism that keeps account operators from being able to manage a domain admin account? I noticed when we apply account operators the right to manage an admin account, a little while later it’s removed. Mark Creamer
RE: [ActiveDir] account operators and admins
google for adminsdholder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, July 20, 2004 10:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] account operators and admins Is there a built-in mechanism that keeps account operators from being able to manage a domain admin account? I noticed when we apply account operators the right to manage an admin account, a little while later it’s removed. Mark Creamer
RE: [ActiveDir] Account Operators can't move users
Glad to hear that it's working properly. I could be what is termed in our environment as a PICNIC issue - Problem In Chair - Not In Computer. ;) Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -Original Message- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of David Adner > Sent: Friday, October 18, 2002 8:08 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Account Operators can't move users > > > Well, sorry to raise a fuss, since when I created a test > account, added it > to the Account Operators group, and tried moving users, it > worked. So I'm > going to have to work with the user to figure out exactly > what's going on. > > >What is the exact error that the user receives when he > attempts to move > >a user? > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Operators can't move users
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of David Adner > Sent: Friday, October 18, 2002 8:08 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Account Operators can't move users > > > Well, sorry to raise a fuss, since when I created a test > account, added it > to the Account Operators group, and tried moving users, it > worked. So I'm > going to have to work with the user to figure out exactly > what's going on. > > >What is the exact error that the user receives when he > attempts to move > >a user? > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Operators can't move users
Well, sorry to raise a fuss, since when I created a test account, added it to the Account Operators group, and tried moving users, it worked. So I'm going to have to work with the user to figure out exactly what's going on. What is the exact error that the user receives when he attempts to move a user? -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Operators can't move users
What is the exact error that the user receives when he attempts to move a user? Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory - Original Message - From: "David Adner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 7:48 PM Subject: Re: [ActiveDir] Account Operators can't move users > I checked and they do have this permission. Also, they create users in the > target OU's with no problems, so wouldn't that indicate they have this > permission? > > >The account operators group will need the "create user object" permission on > >the OU that they are moving the user to. When you move a user it is > >creating the user in the OU that you are moving it to. > > > >Tim Hines, MCSA, MCSE (2000 & NT4) > >MVP - Active Directory > > > > > > > > > >- Original Message - > >From: "David Adner" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Thursday, October 17, 2002 5:51 PM > >Subject: [ActiveDir] Account Operators can't move users > > > > > > > We added some users to the Account Operators group in our AD domain so > >they > > > could manage accounts and that's it. One of the tasks they need to do is > > > move users between OU's. When they try this, they get a message stating > > > they aren't allowed. > > > > > > I looked at the permissions of the OU's and don't see a "move user" > > > permission. They have Create/Delete users, so I'm not sure why they can't > > > move them. > > > > > > Any help is appreciated. > > > > > > > > > > > > -- > > > David > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ: http://www.activedir.org/list_faq.htm > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > >List info : http://www.activedir.org/mail_list.htm > >List FAQ: http://www.activedir.org/list_faq.htm > >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Operators can't move users
Delegate the rights to them -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of David Adner Sent: Thursday, October 17, 2002 17:52 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Account Operators can't move users We added some users to the Account Operators group in our AD domain so they could manage accounts and that's it. One of the tasks they need to do is move users between OU's. When they try this, they get a message stating they aren't allowed. I looked at the permissions of the OU's and don't see a "move user" permission. They have Create/Delete users, so I'm not sure why they can't move them. Any help is appreciated. -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Operators can't move users
I checked and they do have this permission. Also, they create users in the target OU's with no problems, so wouldn't that indicate they have this permission? The account operators group will need the "create user object" permission on the OU that they are moving the user to. When you move a user it is creating the user in the OU that you are moving it to. Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory - Original Message - From: "David Adner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 5:51 PM Subject: [ActiveDir] Account Operators can't move users > We added some users to the Account Operators group in our AD domain so they > could manage accounts and that's it. One of the tasks they need to do is > move users between OU's. When they try this, they get a message stating > they aren't allowed. > > I looked at the permissions of the OU's and don't see a "move user" > permission. They have Create/Delete users, so I'm not sure why they can't > move them. > > Any help is appreciated. > > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Operators can't move users
We've seen the same thing here. Apparently, anyone in the "Account Operators" group cannot change anyone else in "Account Operators" or "Administrators", even if they have adequate AD permissions. This happens for any AD modification, not just mailbox moves. -Original Message- From: David Adner [mailto:davidadner@;adelphia.net] Sent: Thursday, October 17, 2002 4:52 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Account Operators can't move users We added some users to the Account Operators group in our AD domain so they could manage accounts and that's it. One of the tasks they need to do is move users between OU's. When they try this, they get a message stating they aren't allowed. I looked at the permissions of the OU's and don't see a "move user" permission. They have Create/Delete users, so I'm not sure why they can't move them. Any help is appreciated. -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Account Operators can't move users
The account operators group will need the "create user object" permission on the OU that they are moving the user to. When you move a user it is creating the user in the OU that you are moving it to. Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory - Original Message - From: "David Adner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 17, 2002 5:51 PM Subject: [ActiveDir] Account Operators can't move users > We added some users to the Account Operators group in our AD domain so they > could manage accounts and that's it. One of the tasks they need to do is > move users between OU's. When they try this, they get a message stating > they aren't allowed. > > I looked at the permissions of the OU's and don't see a "move user" > permission. They have Create/Delete users, so I'm not sure why they can't > move them. > > Any help is appreciated. > > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account Operators can't move users
Is delegating required to make this work or just a work-around? I have no problems doing it; I just want to understand this better. Thanks Delegate the rights to them -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of David Adner Sent: Thursday, October 17, 2002 17:52 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Account Operators can't move users We added some users to the Account Operators group in our AD domain so they could manage accounts and that's it. One of the tasks they need to do is move users between OU's. When they try this, they get a message stating they aren't allowed. I looked at the permissions of the OU's and don't see a "move user" permission. They have Create/Delete users, so I'm not sure why they can't move them. Any help is appreciated. -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- David List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/