• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 4475 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delegating rights to edit Managed Units

lee.andrews_82510
over 6 years ago

Is this even possible.  I've tried all the access templates and none appear to allow editing of a managed unit membership rules.  I can delegate the right to create a Managed Unit Container but unless you can then create a managed unit it's pointless.

Parents
  • 0 over 6 years ago
    Thanks and I can see the reason why too and thinking about this it was obvious however ( or there is always a BUT) the users in question are ARS admins that I am trying to limit. I want to remove just a little from the ARS admin role but I don't want to prevent them from editing the managed Units and this means I have to give them full rights :-(.

    I'd prefer they didn't stop me delegating that right but instead warned me of the consequences of doing do. I suspect this is partly because the change tracking policies don't work in the configuration container.

    The argument is a little moot too because I can delegate access to the script modules which means if I do that, the users could modify the script to add any account they like to any group including domain admins. Take this to the extreme I could create a policy that would detect my account being disabled which would enable my account, reset the password to one of my choosing add it to the domain admins, removing all others from all priviledged groups making me the only person that could administer anything in my environment.

    Following the logic of why I can't delegate access to create and manage MUs then I should not be able to manage any of the ARS configuration unless I am an ARS admin and that's currently not the case.
Reply
  • 0 over 6 years ago
    Thanks and I can see the reason why too and thinking about this it was obvious however ( or there is always a BUT) the users in question are ARS admins that I am trying to limit. I want to remove just a little from the ARS admin role but I don't want to prevent them from editing the managed Units and this means I have to give them full rights :-(.

    I'd prefer they didn't stop me delegating that right but instead warned me of the consequences of doing do. I suspect this is partly because the change tracking policies don't work in the configuration container.

    The argument is a little moot too because I can delegate access to the script modules which means if I do that, the users could modify the script to add any account they like to any group including domain admins. Take this to the extreme I could create a policy that would detect my account being disabled which would enable my account, reset the password to one of my choosing add it to the domain admins, removing all others from all priviledged groups making me the only person that could administer anything in my environment.

    Following the logic of why I can't delegate access to create and manage MUs then I should not be able to manage any of the ARS configuration unless I am an ARS admin and that's currently not the case.
Children
No Data