How do I limit the changing of Group Type without changing other group rights? (NETIQKB48708)

  • 7748708
  • 02-Feb-2007
  • 13-Sep-2007

Resolution

goal
How do I limit the changing of Group Type without changing other group rights?

goal
How do I restrict Assistant Admins from changing the 'Group Type' from Security to Distribution but keep other group rights the same?

fact
Directory and Resource Administrator 7.x

fix

You can change Group Type without changing other group rights by using a policy. When setting restrictions on a limited group of Assistant Admins, isolate them from the rest of the of the Assistant Admins so the policy does not effect everyone.

To establish an Assistant Admins Group and assign the needed policy to that group:

  1. Launch the Delegation and Configuration console logged on with an account that has DRA Administrator permissions.
  2. Expand Delegation Management in the left tree view.
  3. Select Assistant Admins and click New Assistant Admins Group Icon on the toolbar.
  4. Click Next.
  5. Click Add then Users.
  6. Type the name of the user you are looking for in the text box and click Find Now.
  7. Select the desired user and click Add.
  8. Click OK.
  9. Click Next.
  10. Name the new Assistant Admins Group and click Next.
  11. Uncheck I Want to Delegate power... then click Finish.
  12. Launch the Delegation and Configuration console logged on with an account that has DRA Administrator permissions.
  13. Expand the Policy and Automation Management node.
  14. Select Policy and right-click and select New Policy| Create a policy to validate a specific property.... and click Next.
  15. Select the These ActiveViews click Browse.
  16. Type the name of the desired ActiveView in the text box and click Find Now.
  17. Select the ActiveView and click Add then click OK.
  18. Select These Assistant Admin groups and click Browse.
  19. Type the name of the desired Group in the text box and click Find Now.
  20. Select the Group and click Add then click OK.
  21. Click Next.
  22. From the Class drop down menu, select Groups.
  23. Click the Browse button for the Property field.
  24. Search and select groupType and click Add.
  25. Click OK then click Next.
  26. Under the Valid property values and ranges, type 2 click Add value. Also enter the values 4 and -2147483644, and -2147483646 one at a time and click Add value after each one.
  27. Select the Required property - Enforce that a value in entered for the property option and click Next.
  28. Specify an error message that will be returned when an Assistant Admin attempts to create a Universal group. For example:
      'Creating Universal Groups is against company policy'
  29. Click Next.
  30. Specify a name under Policy name.
  31. Select the This policy must always pass and the Policy enabled options.
  32. Click Next then click Finish.

 

This policy prevents all Assistant Admins from creating Universal groups in the managed domain. Policies in Directory and Resource Administrator can also be configured so they are only enforced when the task is performed by certain Assistant Admins in certain ActiveViews.

Note: The following is a list of values (with corresponding group scope and type) to be used in Steps10 and 11 to define the groups that will be permitted:

  • 2 - Distribution - Global Group
  • 4 - Distribution - Domain Local Group
  • 8 - Distribution - Universal Group
  • -2147483644 - Security - Domain Local Group
  • -2147483646 - Security - Glo.
    bal Group
  • -2147483640 - Security - Universal Group
.


Additional Information

Formerly known as NETIQKB48708