Re: Delegation in AD not working
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/08/04
- Next message: Jasper Rowe: "WAN Traffic with Windows AD"
- Previous message: Joe Richards [MVP]: "Re: Removing users from global group"
- In reply to: Tim McClenahan: "Re: Delegation in AD not working"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 07 Jul 2004 23:24:50 -0400
That is why I wanted dsacls, it is the most accurate display of what is going on
other than custom scripts I have written and they just display the same info as
dsacls just in a format I like better. :o)
The ACL presented here almost certainly came from an object that has the
adminSDHolder functionality impacting it. It means the user is or was at some
time in one of the protected groups. The adminSDHolder clears the inherit
permissions tab so anything applied to an OU will not impact one of these IDs
for more than an hour tops before inheritance is cleared and it gets a special
SD slapped down on it by sdprop.
To find out more about adminSDHolder, simply do a google search with the following
adminsdholder site:microsoft.com
Follow some of the links and read them and you will learn what that
functionality is about. Either the users should be impacted that way, they are
specifically in protected groups and SHOULD be protected (and when I am saying
SHOULD I don't necessarily mean I think you think they should be protected, just
that they should be protected) or they are users who are caught in that
functionality accidently either do to previous group membership in the protected
groups or some accident involving a transitive connection. There are various
steps that would need to be followed to clear up the second aspect of the issues
depending on specifically how it happened.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Tim McClenahan wrote:
> Here you go, but the dsacls in no way looks like the
> Advance tap in Security:
>
> Access list:
> {This object is protected from inheriting permissions from
> the parent}
> Effective Permissions on this object are:
> Allow NT AUTHORITY\Authenticated Users SPECIAL
> ACCESS
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Allow BUILTIN\Administrators SPECIAL
> ACCESS
> DELETE
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> CHANGE
> OWNERSHIP
> CREATE
> CHILD
> DELETE
> CHILD
> LIST
> CONTENTS
> WRITE
> SELF
> WRITE
> PROPERTY
> READ
> PROPERTY
> LIST
> OBJECT
> CONTROL
> ACCESS
> Allow HENRYMAYO\Enterprise Admins SPECIAL
> ACCESS
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> CHANGE
> OWNERSHIP
> CREATE
> CHILD
> DELETE
> CHILD
> LIST
> CONTENTS
> WRITE
> SELF
> WRITE
> PROPERTY
> READ
> PROPERTY
> LIST
> OBJECT
> CONTROL
> ACCESS
> Allow HENRYMAYO\Domain Admins SPECIAL
> ACCESS
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> CHANGE
> OWNERSHIP
> CREATE
> CHILD
> DELETE
> CHILD
> LIST
> CONTENTS
> WRITE
> SELF
> WRITE
> PROPERTY
> READ
> PROPERTY
> LIST
> OBJECT
> CONTROL
> ACCESS
> Allow NT AUTHORITY\SYSTEM FULL
> CONTROL
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS
> LIST
> CONTENTS
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS for Remote Access Information
> READ
> PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS for General Information
> READ
> PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS for Group Membership
> READ
> PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS for Account Restrictions
> READ
> PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
> ACCESS for Logon Information
> READ
> PROPERTY
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for Public Information
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for Personal Information
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for displayName
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow Everyone Change
> Password
>
> Permissions inherited to subobjects are:
> Inherited to all subobjects
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS
> LIST
> CONTENTS
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for Public Information
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for Personal Information
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
> ACCESS for displayName
> WRITE
> PROPERTY
> READ
> PROPERTY
>
> The command completed successfully
>
>
>>-----Original Message-----
>>A simple dsacls dump will show the permissions on a
>
> specific object and verify
>
>>that nothing is overriding what you think you
>
> accomplished with the GUI. It is
>
>>the quickest way to ascertain what it wrong versus me
>
> trying to guess of all the
>
>>possible things that could be going on.
>>
>>
>>dsacls is in the support tools. If you haven't loaded
>
> them, they are very easy
>
>>to load. Check out
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-
> GB;842813
>
>>Once loaded you simply type a command like
>>
>>
>>dsacls "cn=username,cn=users,dc=domain,dc=com"
>>
>>with a valid DN and it will create a dump of all the
>
> permissions applied to that
>
>>object. I can then quickly look at that and determine
>
> where you stand and what
>
>>the next thing could be that needs to be done.
>>
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory
>
> Services
>
>>www.joeware.net
>>
>>
>>
>>Tim McClenahan wrote:
>>
>>>The Delegation Wizard was used to give my support desk
>
> the
>
>>>ability to reset passwords and enable users accounts
>
> (aka
>
>>>user objects), it is not allowing them to do this. The
>
> ACL
>
>>>shows they have these permissions when I view the
>
> Advance
>
>>>section from the Security tap in AD. What else can I
>
> tell
>
>>>you?
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>This is pretty vague and doesn't really tell us what is
>>>
>>>truly configured.
>>>
>>>
>>>>Could you give a dsacls dump of a user object you are
>>>
>>>having issues with and we
>>>
>>>
>>>>can go from there.
>>>>
>>>> joe
>>>>
>>>>--
>>>>Joe Richards Microsoft MVP Windows Server Directory
>>>
>>>Services
>>>
>>>
>>>>www.joeware.net
>>>>
>>>>
>>>>
>>>>Tim McClenahan wrote:
>>>>
>>>>
>>>>>I have successfully used the Delegation Wizard to
>>>
>>>delegate
>>>
>>>
>>>>>permissions to handle all User and Group objects in
>
> the
>
>>>>>AD. But when my support desk goes to enable an account
>>>
>>>or
>>>
>>>
>>>>>reset a password they get the "Insufficient access
>>>
>>>rights
>>>
>>>
>>>>>to perform the operation" error message. What else do
>
> I
>
>>>>>need to check out to get this feature up and running?
>>>>
>>>>.
>>>>
>>
>>.
>>
- Next message: Jasper Rowe: "WAN Traffic with Windows AD"
- Previous message: Joe Richards [MVP]: "Re: Removing users from global group"
- In reply to: Tim McClenahan: "Re: Delegation in AD not working"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
