Directory and Resource Administrator 6.x
Built-in Admin role assigned in any ActiveView appears to give an Assistant Administrator additional powers in other ActiveViews.
Consider the following two ActiveViews (AV):
Include domain and all it's members
Exclude user Administrator
The AA has the Built-in Admin role.
When viewing a list of users in this AV the AA does not see the Administrator user but is able to perform all functions on all other domain objects. This is as intended.
Include user Administrator
The same AA has the role to modify the Employee ID field only.
If AV2 were the only AV in the environment, the AA would only be able to modify the Employee ID field. Put AV1 in the mix and the AA seems to be able to modify all properties of the Administrator account even when selecting it from AV2. It appears that the Built-in Admin role crosses AV boundaries.
This is a display issue with MMC. When the DRA server sees that the AA has the Built-In Admin role it does not query powers over a specific object to determine which fields in the property sheets to enable. All felds are displayed as enabled and editable. However, an error message is generated whenever an attempt is made to modify a property that the AA does not have any power over.
This issue is addressed in the DRA 7.0 GUI changes. The options are grayed out whenever an AA cannot modify a particular property.
There is no security hole because:
- The AA cannot see values that they do not have power over.
- If attempt is made to update a property that they do not have power over an authorization error is returned.