2

There are objects in my AD that have objectClass set to device, and I would like to delegate control to non-admin users so they will be able to add new and delete existing objects with objectClass set to device, but not other objects that have objectClass user, computer, or group.

I'm using device class, because this class has macAddress attribute. New objects are created with New-ADObject command

New-ADObject -Type device -Name NAME -Path "OU=MAC,DC=ddomain,DC=local” -Description DESCRIPTION -OtherAttributes @{'macAddress'="0011223344"}

From what I see, Delegation control wizard or ACL editor do not offer such fine grained control, where I can select custom objectClass for which security properties should be edited.

svakak
  • 112
  • 2
  • 7

1 Answers1

1

The permission system in Active Directory can definitely do what you want. Just as a test, I setup the permission you're looking for using ADSIEDIT:

  • Navigated to my "Device Test" OU, brought up the Properties and the "Advanced" Security dialog

  • Added the group "Test Device Admins Group", applying to "This object and all child objects", granting the permission to "Allow" on "Create device objects" and "Delete device objects"

  • Added a second access control entry (ACE) referencing the group "Test Device Admins Group", applying to "device objects", granting the permission "Full Control" (which, arguably, may be too heavy-handed for what you're looking for but made for a quick test

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328