How do I create an ActiveView to allow Assistant Administrators to move objects from one OU to another, but not include the OU itself?
If I grant admins the ability to move objects from OU to OU, how do I prevent them from moving OUs as well?
Directory and Resource Administrator 7.x
To create an ActiveView that allows Assistant Admins to move objects from one OU to another, but not include the OU itself:
- Open the Delegation and Configuration console with an account that has Security Admin permissions.
- Under Delegation Management, select ActiveViews.
- Select New ActiveView.
- Click Next at the Welcome screen.
- Click Add and Objects that match a rule...
- Under Directory Objects, select Domains.
- Click any domain and select Manage Specific Objects Types in Domain...
- Clear Organizational Units and click OK. Leaving Computers, Contacts, Groups and Users selected will allow the Admin to move any of these object types from any OU to another.
- Click OK.
- Click Add> Objects that match a rule...
- Under Directory Objects, select Organizational Units.
- Click any OU and select Manage Specific Objects Types in Domain...
- Click Clear All and OK.
- Click anyOU, but no objects in the OU and select Restrict Usage and Do not allow these objects to be cloned, moved, or added to groups.
- Click OK.
- Click Next and give the ActiveView a name.
- Click Finish.
When you delegate the Assistant Admins, Assistant Admin Groups, or Groups to the ActiveView, ensure you also delegate the Move Object to OU authority. The ActiveView also requires View All authority for all remaining managed objects as noted in step 8 above:
- View All Computer Properties
- View All Contact Properties
- View All Group Properties
- View All User Properties