Directory Manager Permissions Model
We use two very simple permissions models in Directory Manager. In order for
a user to logon to Directory Manager and make changes, they must be a member of
the Directory Update Managers group. We currently do not support group
nesting, so they have to be a member of THAT group.
Once they are logged in, they can make changes to ANY user account to which
the service account has permissions. So, if the service account is a member of
the domain's Account Operators group, then the authorized Directory Manager can
make changes to any user in the domain that is not an a member of
Administrators, Domain Admins, Enterprise Admins, Account Operators, Print
Operators, or Server Operators.
Directory Manager was designed with small to medium sized organizations in
mind where a single person (or small group of people) would be given the rights
to update everyone.
We do not currently allow granular permission down to the OU level. This will
require changing our permissions model to use the user account credentials
rather than using the service account. We are evaluating how to implement this,
but it will require more complex delegations of permissions when Directory
Manager is installed. The permissions delegations will have to be performed by
someone with Domain Admins access using Active Directory Users and Computers.
In the past, we have tried hard to keep a "hands off" Active Directory stance
when it comes to permissions and making use of the Active Directory. When we
start touching the Active Directory (or more specifically asking you to modify
it), we introduce additional complexities for everyone involved.
We would like to hear what you think about this. Are OU by OU
permissions important to your organization? Let us know at support (at)