• State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 62 subscribers
  • Views 11163 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delegate Full Access but prevent assigning of additional Access Templates

Michiel
over 7 years ago

Hi,

In my company, I have delegated Full Access (all objects) to several Organizational Units in AD - I recently noticed this also allows admins to assign additional Access Templates to allow other users to have access to that same area. Is there any way I can prevent this from happening? I don't mind them seeing the existing config or the templates themselves, but they should not be able to assign or remove any Access Templates. I already tried blocking class "Access Templates" but that didn't seem to help (guess that only locks out modifying the templates themselves). Couldn't find the option for denying (un)assigning templates or policies etc.

Thanks!

Parents
  • 0 over 7 years ago
    Hi Johnny,

    Thanks for the tip regarding a Deny on "Write Control" under Object Access in the delegation Wizard.

    I initially tried with an Access Template which only grants Full Control on these classes:
    - Computer
    - Contact
    - Container
    - group
    - OU
    - User

    Unfortunately the above, along with Read-Only permissions on the AR Configuration container, would still allow them to link Access Templates and Policies.

    I've now included the Deny on "Write control" as you mentioned and this eliminated the option completely. Seems like the best solution for me at the moment!
    Thanks again for you effort to get this explained/resolved - much appreciated! Best regards,

    Michiel
Reply
  • 0 over 7 years ago
    Hi Johnny,

    Thanks for the tip regarding a Deny on "Write Control" under Object Access in the delegation Wizard.

    I initially tried with an Access Template which only grants Full Control on these classes:
    - Computer
    - Contact
    - Container
    - group
    - OU
    - User

    Unfortunately the above, along with Read-Only permissions on the AR Configuration container, would still allow them to link Access Templates and Policies.

    I've now included the Deny on "Write control" as you mentioned and this eliminated the option completely. Seems like the best solution for me at the moment!
    Thanks again for you effort to get this explained/resolved - much appreciated! Best regards,

    Michiel
Children
No Data