Disable Import Organization Unit or Container to Limited Administators
Updated: 21 May 2010 | 1 comment
Hi,
we are trying to delegate SEPM administration to helpdesk. Helpdesk accounts are set as Limited Admins and can see only one group in SEPM. Admins accounts use AD authentication for easy setup.
Recently I found out that limited administrator can create sub group and to his group in SEPM and import any Organization unit from AD. If he has permission to remotely reboot machine he could do it on every machine in AD domain!!
Is there a way how to disable this behaviour while still keeping LDAP servers configuration?
Any ideas?
What permissions are needed on AD account used from AD authentication? Is it used for importing AD Containers?
Thanks
David
Discussion Filed Under:
Comments
Hi Yeah, your right. That
Hi
Yeah, your right. That could be a bit of a problem that you can't control what that limited administrator can do inside the group he has access to. There should be a way to remove/give access to commands and settings in groups aswell.
You just need a account with read access to the AD.
Would you like to reply?
Login or Register to post your comment.