Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Disable Import Organization Unit or Container to Limited Administators

  • 1.  Disable Import Organization Unit or Container to Limited Administators

    Posted Mar 11, 2009 07:50 AM

    Hi,

    we are trying to delegate SEPM administration to helpdesk. Helpdesk accounts are set as Limited Admins and can see only one group in SEPM. Admins accounts use AD authentication for easy setup.

    Recently I found out that limited administrator can create sub group and to his group in SEPM and import any Organization unit from AD. If he has permission to remotely reboot machine he could do it on every machine in AD domain!!

    Is there a way how to disable this behaviour while still keeping LDAP servers configuration?

    Any ideas?

    What permissions are needed on AD account used from AD authentication? Is it used for importing AD Containers?

    Thanks

    David

     



  • 2.  RE: Disable Import Organization Unit or Container to Limited Administators

    Posted May 21, 2009 05:11 AM
    Hi

    Yeah, your right. That could be a bit of a problem that you can't control what that limited administrator can do inside the group he has access to. There should be a way to remove/give access to commands and settings in groups aswell.

    You just need a account with read access to the AD.