Domain Admins can see the Policy and Automation node in the MMC. (NETIQKB27635)

  • 7727635
  • 02-Feb-2007
  • 19-Jun-2007


Directory and Resource Administrator 6.60

Domain Admins can see the Policy and Automation node in the MMC.

The cause of this issue is the Built-in 'Domain Admins Assistant Admins' Group is delegated the role 'Built-In Admin' which exposes this node.


The Domain Admins can only view the 'Policy' and 'Automation' node and the majority of the settings are not viewable to the Domain Admins.  The only policy change that a Domain Admin can make in the Policy and Automation node is modifications to the Exchange policies.

This issue is resolved in Directory and Resource Administrator 7.0 and later.


A potential workaround in DRA 6,x is to remove the Built in Domain Admins Assistant Admins group from the registry on the DRA server.  This Assistant Admin Group is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Security\Deputy\Built-in Domain Admins

Note that this is not a supported configuration.  In addition, after removing the Built in Domain Admins Assistant Admin group, you will have to manually create ActiveViews to delegate powers to Domain Admins in DRA. 

<B>WARNING:</B> Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. <P>Make sure that you backup your Registry prior to making any changes.

Additional Information

Formerly known as NETIQKB27635