G
Guest
Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)
I've created a service account that I want to deny Read access to a parent OU
and all child objects below the parent. All child objects are other OUs and
the Contact objects contained within.
I explicitly granted the Deny Read to the parent OU and had it apply to
'this object and all child objects'.
If i look at the child objects Security, the account indeed shows the Deny
being inherited (details are in grey), however if I check the Effective
Permissions, the child objects all have Full everything. So it appears the
Deny is not taking effect.
One other thing, the service account is a member of the Domain Admins group.
Any ideas on how to Deny Read access without explicitly granting Deny to all
child objects individually?
--
Sandy Wood
Orange County District Attorney
I've created a service account that I want to deny Read access to a parent OU
and all child objects below the parent. All child objects are other OUs and
the Contact objects contained within.
I explicitly granted the Deny Read to the parent OU and had it apply to
'this object and all child objects'.
If i look at the child objects Security, the account indeed shows the Deny
being inherited (details are in grey), however if I check the Effective
Permissions, the child objects all have Full everything. So it appears the
Deny is not taking effect.
One other thing, the service account is a member of the Domain Admins group.
Any ideas on how to Deny Read access without explicitly granting Deny to all
child objects individually?
--
Sandy Wood
Orange County District Attorney