Domain Admins can see the Policy and Automation node in the MMC. (NETIQKB27635)

  • 7727635
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.60

symptom
Domain Admins can see the Policy and Automation node in the MMC.

cause
The cause of this issue is the Built-in 'Domain Admins Assistant Admins' Group is delegated the role 'Built-In Admin' which exposes this node.

fix

The Domain Admins can only view the 'Policy' and 'Automation' node and the majority of the settings are not viewable to the Domain Admins.  The only policy change that a Domain Admin can make in the Policy and Automation node is modifications to the Exchange policies.

This issue is resolved in Directory and Resource Administrator 7.0 and later.



note

A potential workaround in DRA 6,x is to remove the Built in Domain Admins Assistant Admins group from the registry on the DRA server.  This Assistant Admin Group is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint\Administration\Data\Modules\Security\Deputy\Built-in Domain Admins

Note that this is not a supported configuration.  In addition, after removing the Built in Domain Admins Assistant Admin group, you will have to manually create ActiveViews to delegate powers to Domain Admins in DRA. 



note
<B>WARNING:</B> Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. <P>Make sure that you backup your Registry prior to making any changes.

Additional Information

Formerly known as NETIQKB27635