How do I create a policy to restrict Assistant Admins from creating groups of a certain type or scop (NETIQKB375)

  • 7700375
  • 02-Feb-2007
  • 20-Jun-2007

Resolution

goal
How do I create a policy to restrict Assistant Admins from creating groups of a certain type or scope?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix

Policies in Directory and Resource Administrator can be configured to restrict the creation of certain groups. The following is an example of a policy that prevents Assistant Admins from creating Universal groups:

Directory and Resource Administrator 7.x

  1. Launch the Delegation and Configuration Management console while logged on as an Assistant Admin with, at minimum, DRA Admin Role.
  2. Expand the Policy and Automation Management node.
  3. Select Policy and right-click and select New Policy| Create a policy to validate a specific property.... and click Next.
  4. Select the All ActiveViews and All Assistant Admin groups and click Next.
  5. From the Class drop down menu, select Groups.
  6. Click Browse button for the Property field.
  7. Search and select groupType and click Add.
  8. Click OK then click Next.
  9. Under the Valid property values and ranges, type 2 click Add value. Also enter the values 4 and -2147483644, and -2147483646 one at a time and click Add value after each one.
  10. Select the Required property - Enforce that a value in entered for the property option and click Next.
  11. Specify an error message that will be returned when an Assistant Admin attempts to create a Universal group. For example:
      'Creating Universal Groups is against company policy'
  12. Click Next.
  13. Specify a name under Policy name.
  14. Select the This policy must always pass and the Policy enabled options.
  15. Click Next then click Finish.

Directory and Resource Administrator 6.x

  1. Launch the MMC interface while logged on as an Assistant Admin with, at minimum, Built-in Security Role.
  2. Expand the Policy and automation management snap-in.
  3. Select Policy and click New.
  4. In the Create Policy Object dialog box, select Create a policy to validate a specific property and click Next.
  5. Select the All ActiveViews and All Assistant Admin groups and click Next.
  6. From the Select object class drop down menu, select Groups.
  7. Click Browse button for the Select class property.
  8. Select groupType and click Add.
  9. Click OK then click Next.
  10. Under the Valid property values and ranges, type 2 click Add value. Also enter the values 4 and -2147483644, and -2147483646 one at a time and click Add value after each one.
  11. Select the Required property - Enforce that a value in entered for the property option and click Next.
  12. Specify an error message that will be returned when an Assistant Admin attempts to create a Universal group. For example:
      'Creating Universal Groups is against company policy'
  13. Click Next.
  14. Specify a name under Policy name.
  15. Select the This policy must always pass and the Policy enabled options.
  16. Click Next then click Finish.

This policy prevents all Assistant Admins from creating Universal groups in the managed domain. Policies in Directory and Resource Administrator can also be configured so they are only enforced when the task is performed by certain Assistant Admins in certain ActiveViews.

Note: The following is a list of values (with corresponding group scope and type) to be used in Steps10 and 11 to define the groups that will be permitted:

  • 2 - Distribution - Global Group
  • 4 - Distribution - Domain Local Group
  • 8 - Distribution.
    - Universal Group
  • -2147483644 - Security - Domain Local Group
  • -2147483646 - Security - Global Group
  • -2147483640 - Security - Universal Group
.


Additional Information

Formerly known as NETIQKB375

Feedback service temporarily unavailable. For content questions or problems, please contact Support.