Directory Manager Permissions Model

We use two very simple permissions models in Directory Manager. In order for a user to logon to Directory Manager and make changes, they must be a member of the Directory Update Managers group. We currently do not support group nesting, so they have to be a member of THAT group.

Once they are logged in, they can make changes to ANY user account to which the service account has permissions. So, if the service account is a member of the domain's Account Operators group, then the authorized Directory Manager can make changes to any user in the domain that is not an a member of Administrators, Domain Admins, Enterprise Admins, Account Operators, Print Operators, or Server Operators.

Directory Manager was designed with small to medium sized organizations in mind where a single person (or small group of people) would be given the rights to update everyone.

We do not currently allow granular permission down to the OU level. This will require changing our permissions model to use the user account credentials rather than using the service account. We are evaluating how to implement this, but it will require more complex delegations of permissions when Directory Manager is installed. The permissions delegations will have to be performed by someone with Domain Admins access using Active Directory Users and Computers.

In the past, we have tried hard to keep a "hands off" Active Directory stance when it comes to permissions and making use of the Active Directory. When we start touching the Active Directory (or more specifically asking you to modify it), we introduce additional complexities for everyone involved.

We would like to hear what you think about this.  Are OU by OU permissions important to your organization?  Let us know at support (at) ithicos.com