Resolution
What configuration is required to allow an Assistant Admin to view managed objects in the AD and domain explorer snap-in node?
fact
Directory and Resource Administrator 6.x
fix
The AD and domain explorer snap-in node in DRA's MMC interface displays Active Directory objects organized by the OUs in which they are members. In order to view any objects using AD and domain explorer, the ActiveView the Assistant Admin is assigned to must contain object rules that include all parent OUs in the hierarchy structure that the managed objects fall under.
For example, DomainA contains the following OU structure:
OU1
-OU2
-OU3
OU3contains users and groups that an Assistant Admin is to manage. In order to view subordinate objects in any explorer-based interface, one must be able to see the parent object. In this example, the ActiveView should contain the following rules:
- Include OU DomainA/OU1/OU2/OU3 and members that are users and groups
- Include OU DomainA/OU1/OU2 but none of its members but do not allow the OUs to be moved to other OUs
- Include OU DomainA/OU1 but none of its members but do not allow the OUs to be moved to other OUs
Even if there are other objects that are members of OU1 or OU2, the Assistant Admin will not be able to view them in AD and domain explorer based on this set of rules. Furthermore, the Assistant Admin will not be able to modify any of the properties of OU3 as long as only user and group powers are assigned.