I am attempting to delegate the management of an OU to a group. The group needs to be able to create, delete, and rename OUs and edit the Description attribute of the OUs, the group should not have the permissions to manage any other object types
within the delegated OU. I have been able to configure the required permissions in order to create, delete and rename OUs, but am having some issues with the Description attribute.
I attempted to do this using both the Delegate Control task and by manually assigning permissions, however, using either method, the only way I have been able to allow the group to be able to edit the Description attribute is by giving the group the "Write all properties" permission. There does not appear to be an individual permission for the Description attribute. As part of the delegation, I am trying to stop the group from being able to assign GPOs to the OUs. The only way I have managed to get this to work so far is to give the group the "Write all properties" permission. Selecting "Write all properties" automatically selects all permissions of the type write, deselecting Write gPLink and Write gPOptions causes "Write all properties" to be de-selected (all other write permissions remain), but in this state, the group is no longer able to edit the Description attribute (nor the Country/region attribute, but that is not something I need), so in order to retain the ability to modify the Description attribute on the OU, I have had to add an explicit deny on Write gPLink and Write gPOptions.
Does anyone know a way of being able to accomplish what I want, without having to use a deny on the Write gPLink and Write gPOptions attributes?
Thanks
I attempted to do this using both the Delegate Control task and by manually assigning permissions, however, using either method, the only way I have been able to allow the group to be able to edit the Description attribute is by giving the group the "Write all properties" permission. There does not appear to be an individual permission for the Description attribute. As part of the delegation, I am trying to stop the group from being able to assign GPOs to the OUs. The only way I have managed to get this to work so far is to give the group the "Write all properties" permission. Selecting "Write all properties" automatically selects all permissions of the type write, deselecting Write gPLink and Write gPOptions causes "Write all properties" to be de-selected (all other write permissions remain), but in this state, the group is no longer able to edit the Description attribute (nor the Country/region attribute, but that is not something I need), so in order to retain the ability to modify the Description attribute on the OU, I have had to add an explicit deny on Write gPLink and Write gPOptions.
Does anyone know a way of being able to accomplish what I want, without having to use a deny on the Write gPLink and Write gPOptions attributes?
Thanks