Hi there,
im having trouble to configure activeview/power for my needs.
I have a group of administrators, called PC_Admins

We have several OUs containting computer accounts (L0 .. L5).
I want to restrict their ability to create computer just for container
L0, but have ability to move computers between other OUs without

So i created "AV_L0_Create Computer (Include OU L0) and attached the
"Create Computer and Modify All Properties" rule into it.

Then, ive created another AV for ability to move objects, called "Move &
Manage computers (L0 - L5)". It contains all rules required for move
computers between OUs, except "Create computer". This way im able to
restrict computer creation just for OU L0.

Administrators are able to create computer in L0, then move them from L0
=> L1 .. L5. No problem there.
But if they want to move computer back from L3 => L0, I get "C0043AB0
Authorization failed, power escalation occured. An attempt was made to
add a power/role that the user does not have, or the operation would
have resulted in the user having more powers over the object".
Its because L0 OU contains "Create computer role" as well. The only
way I was be able to solve that, is by adding a "Create computer" role
to L1..L5 OUs.

My DRA version: 8.6


Mekac's Profile: https://forums.netiq.com/member.php?userid=9210
View this thread: https://forums.netiq.com/showthread.php?t=52996