Resolution
fact
Directory and Resource Administrator 6.x
symptom
Assistant Admins granted the 'Permanently delete a user account from the Recycle Bin' power can delete any user account in the same ActiveView, including accounts that are not in the Recycle Bin.
cause
The 'Permanently delete a user account from the Recycle Bin' power grants the Assistant Admins the Delete power as well, thus allowing them to delete any user account included in that ActiveView.
fix
Directory and Resource Administrator 6.x
symptom
Assistant Admins granted the 'Permanently delete a user account from the Recycle Bin' power can delete any user account in the same ActiveView, including accounts that are not in the Recycle Bin.
cause
The 'Permanently delete a user account from the Recycle Bin' power grants the Assistant Admins the Delete power as well, thus allowing them to delete any user account included in that ActiveView.
fix
In order to only allow Assistant Admins to delete user accounts which are sent to the Recycle Bin, create a new ActiveView configured as follows:
- Create an Include rule to include all users in all domains
- Create an Exclude rule to exclude all OU with name matching * and members that are users
Additional Information
Formerly known as NETIQKB28643