Resolution
fact
Directory and Resource Administrator 6.x
symptom
Assistant Admins with powers over only a specific OU are able to manage other OUs.
cause
The Administrator that created the OU based ActiveViews, along with the Assistant Admin assignments, is delegated the role Built-in Admin. The Built-in Admin role gives the Assistant Admins the ability to manage 'all' objects within the managed domain.
fix
Remove the Assistant Admin from the Built-in Admin role assignment. Assign more limited specific roles/powers, such as Built-in User Account, the Assistant Admins will then only be able to manage the specific OU.
Directory and Resource Administrator 6.x
symptom
Assistant Admins with powers over only a specific OU are able to manage other OUs.
cause
The Administrator that created the OU based ActiveViews, along with the Assistant Admin assignments, is delegated the role Built-in Admin. The Built-in Admin role gives the Assistant Admins the ability to manage 'all' objects within the managed domain.
fix
Remove the Assistant Admin from the Built-in Admin role assignment. Assign more limited specific roles/powers, such as Built-in User Account, the Assistant Admins will then only be able to manage the specific OU.
Additional Information
Formerly known as NETIQKB13317