The access control entries (ACEs) that Microsoft Provisioning System (MPS) implements for the are ACEs for the hosting organization. The ACEs for the Hosting OU control the type of access to this organizational unit (OU) that is granted to each group. The Remove Authenticated Users ACE is set on the hosting organization. This ACE prevents all users from reading the contents of the Hosting OU, unless they are explicitly granted this right.
ACEs for the AllUsersGroup@Hosting Group
The ACE described in the following table grants List Object permissions for the hosting organization to the AllUsersGroup@Hosting group. Members of the AllUsersGroup@Hosting include:
- The AllUsers@reseller groups, containing all user
accounts in each reseller organization.
- The AllUsers@Hosting group, containing all user accounts in the
hosting organization.
Table: ACEs for the AllUsersGroup@Hosting Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
|
AllUsersGroup |
Special |
This object only |
|
Permission |
Allow |
- |
|
List Object |
ADS_RIGHT_DS_LIST_OBJECT |
- |
ACEs for the AllUsers@Hosting Group
Membership in the AllUsers@Hosting group includes only user accounts within the hosting organization. This membership does not include reseller or customer user accounts. The ACEs on this group allow user accounts in the hosting organization to list and read properties within the hosting OU. Refer to the following table for more information.
Table: ACEs for the AllUsers@Hosting Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
|
AllUsers@Hosting |
Special |
This object and all child objects |
|
Permission |
Allow |
- |
|
List Contents |
ADS_RIGHT_DS_ACTRL_DS_LIST |
- |
|
Read All Properties |
ADS_RIGHT_DS_READ_PROP |
- |
|
Read permissions |
ADS_RIGHT_READ_CONTROL |
- |
ACEs for the Admins@Hosting Group
The following table shows an ACE that grants service provider administrator permissions to members of the Admins@Hosting group. These permissions reduce the need to grant domain administrator permissions to users who need to perform Active Directory functions for hosted customers.
Table: ACEs for the Admins@Hosting Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
|
Admins@Hosting |
Special |
This object and all child objects |
|
Permission |
Allow |
- |
|
Write all properties |
ADS_RIGHT_DS_WRITE_PROPERTIES |
- |
|
Modify permissions |
ADS_RIGHT_WRITE_DAC |
- |
|
All validated writes |
ADS_RIGHT_DS_SELF |
- |
|
All extended writes |
ADS_RIGHT_DS_CONTROL_ACCESS |
- |
|
Create all child objects |
ADS_RIGHT_DS_CREATE_CHILD |
- |
|
Delete all child objects |
ADS_RIGHT_DS_DELETE_ACCESS |
- |
ACEs for the CSRAdmins@Hosting Group
The following table describes the ACE that grants appropriate permissions to members of the CSRAdmins@Hosting group. This group contains service provider customer service representatives.
Table: ACEs for the CSRAdmins@Hosting Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
|
CSRAdmins@Hosting |
Special |
This object and all child objects |
|
Permission |
Allow |
- |
|
Write all properties |
ADS_RIGHT_DS_WRITE_PROPERTIES |
- |
|
Modify properties |
ADS_RIGHT_WRITE_DAC |
- |
|
All validated writes |
ADS_RIGHT_DS_SELF |
- |
|
All extended writes |
ADS_RIGHT_DS_CONTROL_ACCESS |
- |