Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Implement ACEs for the Hosting Organization

The access control entries (ACEs) that Microsoft Provisioning System (MPS) implements for the are ACEs for the hosting organization. The ACEs for the Hosting OU control the type of access to this organizational unit (OU) that is granted to each group. The Remove Authenticated Users ACE is set on the hosting organization. This ACE prevents all users from reading the contents of the Hosting OU, unless they are explicitly granted this right.

ACEs for the AllUsersGroup@Hosting Group

The ACE described in the following table grants List Object permissions for the hosting organization to the AllUsersGroup@Hosting group. Members of the AllUsersGroup@Hosting include:

  • The AllUsers@reseller groups, containing all user accounts in each reseller organization.

  • The AllUsers@Hosting group, containing all user accounts in the hosting organization.

Table: ACEs for the AllUsersGroup@Hosting Group

Allowed or denied to Permission Apply to

AllUsersGroup

Special

This object only

Permission

Allow

-

List Object

ADS_RIGHT_DS_LIST_OBJECT

-

ACEs for the AllUsers@Hosting Group

Membership in the AllUsers@Hosting group includes only user accounts within the hosting organization. This membership does not include reseller or customer user accounts. The ACEs on this group allow user accounts in the hosting organization to list and read properties within the hosting OU. Refer to the following table for more information.

Table: ACEs for the AllUsers@Hosting Group

Allowed or denied to Permission Apply to

AllUsers@Hosting

Special

This object and all child objects

Permission

Allow

-

List Contents

ADS_RIGHT_DS_ACTRL_DS_LIST

-

Read All Properties

ADS_RIGHT_DS_READ_PROP

-

Read permissions

ADS_RIGHT_READ_CONTROL

-

ACEs for the Admins@Hosting Group

The following table shows an ACE that grants service provider administrator permissions to members of the Admins@Hosting group. These permissions reduce the need to grant domain administrator permissions to users who need to perform Active Directory functions for hosted customers.

Table: ACEs for the Admins@Hosting Group

Allowed or denied to Permission Apply to

Admins@Hosting

Special

This object and all child objects

Permission

Allow

-

Write all properties

ADS_RIGHT_DS_WRITE_PROPERTIES

-

Modify permissions

ADS_RIGHT_WRITE_DAC

-

All validated writes

ADS_RIGHT_DS_SELF

-

All extended writes

ADS_RIGHT_DS_CONTROL_ACCESS

-

Create all child objects

ADS_RIGHT_DS_CREATE_CHILD

-

Delete all child objects

ADS_RIGHT_DS_DELETE_ACCESS

-

ACEs for the CSRAdmins@Hosting Group

The following table describes the ACE that grants appropriate permissions to members of the CSRAdmins@Hosting group. This group contains service provider customer service representatives.

Table: ACEs for the CSRAdmins@Hosting Group

Allowed or denied to Permission Apply to

CSRAdmins@Hosting

Special

This object and all child objects

Permission

Allow

-

Write all properties

ADS_RIGHT_DS_WRITE_PROPERTIES

-

Modify properties

ADS_RIGHT_WRITE_DAC

-

All validated writes

ADS_RIGHT_DS_SELF

-

All extended writes

ADS_RIGHT_DS_CONTROL_ACCESS

-

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.