Resolution
Goal
What is the $SpecialGroupsPolicy in Directory and Resource Administrator?
How do I restrict some actions on special groups and their members?
How do I remove restrictions of some actions on special groups and their members?
What validation logic does Directory and Resource Administrator use to determine whether an action is permitted on a special group or its members?
Fact
Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x
Fix
Directory and Resource Administrator (DRA) uses the policy $SpecialGroupsPolicy (which is enabled by default) to restrict some actions on special groups and their members. If you do not want to restrict actions on special groups and their members, you can disable this policy using the Business Rules and Policy snap-in from the MMC interface or by disabling the policy in the Delegation and Configuration console/Policies.
See: NETIQKB11895: 'How can I exclude certain 'Special' or 'Built-In' groups from ActiveViews?'
What is the $SpecialGroupsPolicy in Directory and Resource Administrator?
How do I restrict some actions on special groups and their members?
How do I remove restrictions of some actions on special groups and their members?
What validation logic does Directory and Resource Administrator use to determine whether an action is permitted on a special group or its members?
Fact
Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x
Fix
Directory and Resource Administrator (DRA) uses the policy $SpecialGroupsPolicy (which is enabled by default) to restrict some actions on special groups and their members. If you do not want to restrict actions on special groups and their members, you can disable this policy using the Business Rules and Policy snap-in from the MMC interface or by disabling the policy in the Delegation and Configuration console/Policies.
When the special groups policy is in effect, Directory and Resource Administrator uses the following validation logic to determine whether an action is permitted on a special group or its members:
- If the Assistant Admin is a Windows NT or Windows 2000\2003 administrator, the Assistant Admin can perform actions on special groups and their members for which the Assistant Admin has the appropriate power.
- If the Assistant Admin is a member of a special group, the Assistant Admin can perform actions on the same special group and its members, as long as the Assistant Admin has the appropriate power.
- If the Assistant Admin is not a member of a special group, the Assistant Admin cannot modify a special group or its members.
This policy is designed to prevent escalation of powers. For example, if the Assistant Admin can change the password of a user in the Administrators group, s/he can then log on as that user and gain the access that the Administrator group provides. Thus to provide a more secure environment, Directory and Resource Administrator treats the following groups in this special manner:
- Administrators
- Domain Admins
- Print Operators
- Backup Operators
- Account Operators
- Administrators
- Domain Admins
- Print Operators
- Backup Operators
- Account Operators
- Cert Publishers
- DNS Admins
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
Windows NT
Windows 2000\2003
See: NETIQKB11895: 'How can I exclude certain 'Special' or 'Built-In' groups from ActiveViews?'
Additional Information
Formerly known as NETIQKB308