How do I allow cross-OU group membership changes without additional powers over users in other OU's? (NETIQKB19713)

  • 7719713
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

goal
How do I allow cross-OU group membership changes without additional powers over users in other OU's?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix

When OU structure in an Active Directory domain is based on both department and location-related OU names, it may become necessary to allow Assistant Admins to manage users and/or groups from top level OUs they do not normally have permissions over.  Consider the following situation:

You have three top level OUs, each pertaining to a data center.  Each data center has multiple site OUs, based on location.  Each of those location OUs have separate OUs for users, groups, computers, and contacts.  Each data center OU has an ActiveView created and Assistant Admins assigned with complete power over all objects within their data center OU only.  To allow the data center Assistant Admins to add users from the other data center OUs to groups in their own OUs but not to have any additional powers over them, the following ActiveView structure should be used:

Create three ActiveViews, one for each datacenter, with the following rules:

  • DataCenter1
    • Include groups in OU domain/DataCenter1 and it's child OUs
    • Include users  in OU domain/DataCenter2 and it's child OUs
    • Include users  in OU domain/DataCenter3 and it's child OUs
  • DataCenter2
    • Include groups in OU domain/DataCenter2 and it's child OUs
    • Include users  in OU domain/DataCenter1 and it's child OUs
    • Include users  in OU domain/DataCenter3 and it's child OUs
  • DataCenter3
    • Include groups in OU domain/DataCenter3 and it's child OUs
    • Include users  in OU domain/DataCenter1 and it's child OUs
    • Include users  in OU domain/DataCenter2 and it's child OUs

Assign the Assistant Admin group from each data center the following powers:

  • Modify Group Membership - Add A Member
  • Modify Group Membership - Remove A Member

This ActiveView configuration will allow the DataCenter1 Assistant Admins the ability to add DataCenter2 and DataCenter3 users to DataCenter1 groups, but will not grant them the same powers that they have over DataCenter1 users. 

NOTE:  In order to make this an effective security structure within DRA, you must be careful not to create any ActiveView rules in these or any other ActiveViews that include 'groups and members that are users' or including users that are members of a group.  Doing so could grant an Assistant Admin more powers than intended over users in the other data centers.  All ActiveView rules should be built based on OU membership in a situation such as this.



Additional Information

Formerly known as NETIQKB19713