How can Assistant Admins be restricted to creating specific objects in specific OUs?

  • 7710386
  • 02-Feb-2007
  • 21-Mar-2013


NetIQ Directory and Resource Administrator 8.x


NetIQ Directory and Resource Administrator (DRA) allows DRA Administrators to create active views (AV) over specific OU’s within DRA Managed Domains. These AVs control what actions can be done, who can do them (Specific DRA Assistant Admins) , and what actions can be done. The DRA Security model is based on explicit assignment of rights. If a specific right or power is not explicitly assigned to a specific object, for a specific DRA AA; he or she will be denied the ability to perform that action.


When creating any object in an Active Directory environment, the Assistant Admin must have a target OU included in the ActiveView granting the Create  or Clone power.  When the Assistant Admin creates an object of that type, the default target OU will be the one specified in the ActiveView rule.  For example, consider an ActiveView structure as follows:


  • Include OU domain_name/OU1 but none of its members
  • Include groups but none of its members in domain domain_name
  • AA1 is granted the All Properties - Create a Group power


  • Include OU domain_name/OU2 but none of its members
  • Include users in domain domain_name
  • AA1 is granted the All Properties - Create a User Account power
In this example, AA1 has two target OUs, OU1 and OU2.  When a group account is created, though, DRA will set the default OU to OU1 and the Assistant Admin will not be able to change it even though OU2 is defined as a target OU in another ActiveView.  Likewise, AA1 will only be able to create user accounts in OU2, which will be set as the default OU during UserCreate operations.

Additional Information

If another ActiveView grants the Assistant Admin the Create power forone of theseobjects and includes athird OU, the Assistant Adminwould then be able to select thethird OU during the create operation. To find other ActiveViews the Assistant Admin may be a member of, please perform the following steps:

  1. Launch the DRA Delgationg and Configuration or Account and Resource Management Console.
  2. Search for the DRA Assistant Admin in question
  3. Right Click on the AD User Account, and Select Show Powers
  4. Expand the ActiveViews list item to obtain a list of all ActiveViews that Assistant Admin is a member of. Expanding the subsequent list items will also reveal the Assistant Admin groups and the Roles the Assistant Admin has in each ActiveView.
Formerly known as NETIQKB10386