Dynamic Groups - Deny changes

Chaps.

We have Admins who have access to the MMC console and as such have the ability to change Dynamic group membership. Is there away to stop say AdminGroup1234 from being able to edit specific Dynamic groups?

Thanks in advance

Top Replies

JohnnyQuest over 2 years ago in reply to craig mcfarlane +1 suggested

Stu.Pollock suggestions are spot on (and I agree with him regarding deny's in general). I would take the groups that you want to restrict and place them all in a specific OU. Use that OU as part of…

Parents

0 Stu.Pollock over 2 years ago

Hi craig mcfarlane

There are a couple of ways of doing that

1) Don't grant uses permissions over the (dynamic) groups objects they shouldn't be able to manage. As Johnny says if they are all ARS Admin, people delegated permissions appropriate for the relveant sets of teams, the ARS Full Admin group is for the Active Roles product administrator, not for normal day to day, as it give configurational access to the product, meaning anyone with it could change anything.

2) Have a workflow which intercepts changes made to dynamic groups, set its start condition by for members of particular groups, within an area of AD, where the attribute used to store DG rule is updated. Then remove the change from the request, or just use a Break/Stop activity step to make it error... (removing the value from the request just makes it so that an attribute isn't changed, however the person making the change would assume its happened).

There are a couple of other ways, but from my point of view, its better to not grant users permissions in the first place, rather than add deny permissions. For everything else there are workflows and script modules.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Stu.Pollock over 2 years ago

Hi craig mcfarlane

There are a couple of ways of doing that

1) Don't grant uses permissions over the (dynamic) groups objects they shouldn't be able to manage. As Johnny says if they are all ARS Admin, people delegated permissions appropriate for the relveant sets of teams, the ARS Full Admin group is for the Active Roles product administrator, not for normal day to day, as it give configurational access to the product, meaning anyone with it could change anything.

2) Have a workflow which intercepts changes made to dynamic groups, set its start condition by for members of particular groups, within an area of AD, where the attribute used to store DG rule is updated. Then remove the change from the request, or just use a Break/Stop activity step to make it error... (removing the value from the request just makes it so that an attribute isn't changed, however the person making the change would assume its happened).

There are a couple of other ways, but from my point of view, its better to not grant users permissions in the first place, rather than add deny permissions. For everything else there are workflows and script modules.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data