Re: Delegation in AD not working
From: Tim McClenahan (anonymous_at_discussions.microsoft.com)
Date: 07/07/04
- Next message: ptwilliams: "Re: global catalog urgent prob.."
- Previous message: ptwilliams: "Re: REPOST: Gaining Time"
- In reply to: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Next in thread: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Reply: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 7 Jul 2004 16:20:38 -0700
Here you go, but the dsacls in no way looks like the
Advance tap in Security:
Access list:
{This object is protected from inheriting permissions from
the parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow BUILTIN\Administrators SPECIAL
ACCESS
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow HENRYMAYO\Enterprise Admins SPECIAL
ACCESS
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow HENRYMAYO\Domain Admins SPECIAL
ACCESS
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow NT AUTHORITY\SYSTEM FULL
CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS
LIST
CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Remote Access Information
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for General Information
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Group Membership
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Account Restrictions
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Logon Information
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Public Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Personal Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for displayName
WRITE
PROPERTY
READ
PROPERTY
Allow Everyone Change
Password
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS
LIST
CONTENTS
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Public Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Personal Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for displayName
WRITE
PROPERTY
READ
PROPERTY
The command completed successfully
>-----Original Message-----
>A simple dsacls dump will show the permissions on a
specific object and verify
>that nothing is overriding what you think you
accomplished with the GUI. It is
>the quickest way to ascertain what it wrong versus me
trying to guess of all the
>possible things that could be going on.
>
>
>dsacls is in the support tools. If you haven't loaded
them, they are very easy
>to load. Check out
http://support.microsoft.com/default.aspx?scid=kb;EN-
GB;842813
>
>Once loaded you simply type a command like
>
>
>dsacls "cn=username,cn=users,dc=domain,dc=com"
>
>with a valid DN and it will create a dump of all the
permissions applied to that
>object. I can then quickly look at that and determine
where you stand and what
>the next thing could be that needs to be done.
>
>
>
>--
>Joe Richards Microsoft MVP Windows Server Directory
Services
>www.joeware.net
>
>
>
>Tim McClenahan wrote:
>> The Delegation Wizard was used to give my support desk
the
>> ability to reset passwords and enable users accounts
(aka
>> user objects), it is not allowing them to do this. The
ACL
>> shows they have these permissions when I view the
Advance
>> section from the Security tap in AD. What else can I
tell
>> you?
>>
>>
>>>-----Original Message-----
>>>This is pretty vague and doesn't really tell us what is
>>
>> truly configured.
>>
>>>Could you give a dsacls dump of a user object you are
>>
>> having issues with and we
>>
>>>can go from there.
>>>
>>> joe
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory
>>
>> Services
>>
>>>www.joeware.net
>>>
>>>
>>>
>>>Tim McClenahan wrote:
>>>
>>>>I have successfully used the Delegation Wizard to
>>
>> delegate
>>
>>>>permissions to handle all User and Group objects in
the
>>>>AD. But when my support desk goes to enable an account
>>
>> or
>>
>>>>reset a password they get the "Insufficient access
>>
>> rights
>>
>>>>to perform the operation" error message. What else do
I
>>>>need to check out to get this feature up and running?
>>>
>>>.
>>>
>.
>
- Next message: ptwilliams: "Re: global catalog urgent prob.."
- Previous message: ptwilliams: "Re: REPOST: Gaining Time"
- In reply to: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Next in thread: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Reply: Joe Richards [MVP]: "Re: Delegation in AD not working"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
