• State Not Answered
  • Replies 3 replies
  • Subscribers 64 subscribers
  • Views 70 views
  • Users 0 members are here
Options
Related

Tree view security

jraines
1 day ago

My users are complaining that they can't see entire branches of the tree view.   We're working on weaning users off ADUC and this is a concern because ADUC users are accustomed to working from the tree view.  

Is there a security setting that exposes the tree view branch?   Or like file folders, do you have to have "list" security at the root?  

Regards,

JonR

Parents
  • 0 20 hours ago

    Thanks Stu.   I am looking to do a more granular delegation.   If I have a tree that looks something like this:

    - Root.Domain

    -- Users

    ----Accounts

    -----Location1

    -----Location2

    -----Location3

    I'd like to I grant permissions for a group of users to see Location1 but not Location2.  But I guess what need to know is what to permissions to grant at the Users and Accounts levels without overprovisioning for the whole subtree?  I've already delegated for the Location1 OU, but the users can't see the Users and Accounts levels, so they aren't able to browse the tree correctly.

    Regards,

    Jon

  • 0 9 hours ago in reply to jraines

    There are several ways to do that, but in essence you are just using Delegation of Control to do this, and the inheritance options

    As one example, which might not fit your use case,

    • Create a delegation of control against Root.Domain, granting permissions to see the domain, but this direct object only, assigning against "Group A"
    • Create a delegation of control against Users OU granting permissions to see the OU, again this direct object only, assigning against "Group B"
    • Create a delegation of control against Accounts OU granting permissions to see the OU, again this direct object only, assigning against "Group C"
    • Then re-use your existing delegation of control for Location 1, with This Directory object and child directory objects, as is Assigned against "Location 1"

    For the people managing Location 1, would hold Group A, B, C and Location 1, 

    People Managing location 2 would hold groups A, B, C and Location 2, etc

Reply
  • 0 9 hours ago in reply to jraines

    There are several ways to do that, but in essence you are just using Delegation of Control to do this, and the inheritance options

    As one example, which might not fit your use case,

    • Create a delegation of control against Root.Domain, granting permissions to see the domain, but this direct object only, assigning against "Group A"
    • Create a delegation of control against Users OU granting permissions to see the OU, again this direct object only, assigning against "Group B"
    • Create a delegation of control against Accounts OU granting permissions to see the OU, again this direct object only, assigning against "Group C"
    • Then re-use your existing delegation of control for Location 1, with This Directory object and child directory objects, as is Assigned against "Location 1"

    For the people managing Location 1, would hold Group A, B, C and Location 1, 

    People Managing location 2 would hold groups A, B, C and Location 2, etc

Children
No Data