Re: trouble with delegating unlock rights
- From: Jorge_de_Almeida_Pinto <UseLinkToEmail@xxxxxxxxxxxxxxxxx>
- Date: 11 Sep 2005 16:35:52 -0400
"" wrote:
> I am trying to delegate account unlock rights as per KB294952
> with no
> success. When the users review a locked account the unlock box
> is still
> grayed out. I have modified the Dssec.dat file on the
> workstations
> being used and have included a dump from DSACLS on object. Any
> help
> would be appreciated.
>
> Thanks
> Joe
>
> Access list:
> Effective Permissions on this object are:
> Allow NT AUTHORITYSYSTEM FULL
> CONTROL
> Allow COFCUDomain Admins FULL
> CONTROL
> Allow NT AUTHORITYAuthenticated Users SPECIAL
> ACCESS
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Allow COFCUUser1 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUUser2 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUIT Domain Administrators FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUCOMPUTER7$ FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUCOMPUTER5$ FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL
> CONTROL
> <Inherited from parent>
> Allow BUILTINAdministrators SPECIAL
> ACCESS
> <Inherited from parent>
> DELETE
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> CHANGE
> OWNERSHIP
> CREATE
> CHILD
> LIST
> CONTENTS
> WRITE
> SELF
> WRITE
> PROPERTY
> READ
> PROPERTY
> LIST
> OBJECT
> CONTROL
> ACCESS
> Allow COFCUEnterprise Admins FULL
> CONTROL
> <Inherited from parent>
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS
> <Inherited from parent>
> LIST
> CONTENTS
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS
> <Inherited from parent>
> LIST
> CONTENTS
> Allow BUILTINAccount Operators SPECIAL
> ACCESS for
> computer
> CREATE
> CHILD
> DELETE
> CHILD
> Allow BUILTINAccount Operators SPECIAL
> ACCESS for
> user
> CREATE
> CHILD
> DELETE
> CHILD
> Allow BUILTINAccount Operators SPECIAL
> ACCESS for
> group
> CREATE
> CHILD
> DELETE
> CHILD
> Allow BUILTINPrint Operators SPECIAL
> ACCESS for
> printQueue
> CREATE
> CHILD
> DELETE
> CHILD
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> computer <Inherited from parent>
> CREATE
> CHILD
> Allow COFCUUser1 SPECIAL
> ACCESS for
> computer <Inherited from parent>
> CREATE
> CHILD
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> gPOptions <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> gPLink <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser1 SPECIAL
> ACCESS for
> gPOptions <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser1 SPECIAL
> ACCESS for
> gPLink <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> Public Information <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> Personal Information <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> groupType <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> displayName <Inherited from parent>
> WRITE
> PROPERTY
>
> Permissions inherited to subobjects are:
> Inherited to all subobjects
> Allow COFCUUser2 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUUser1 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUIT Domain Administrators FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUCOMPUTER7$ FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL
> CONTROL
> <Inherited from parent>
> Allow COFCUCOMPUTER5$ FULL
> CONTROL
> <Inherited from parent>
> Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL
> CONTROL
> <Inherited from parent>
> Allow BUILTINAdministrators SPECIAL
> ACCESS
> <Inherited from parent>
> DELETE
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> CHANGE
> OWNERSHIP
> CREATE
> CHILD
> LIST
> CONTENTS
> WRITE
> SELF
> WRITE
> PROPERTY
> READ
> PROPERTY
> LIST
> OBJECT
> CONTROL
> ACCESS
> Allow COFCUEnterprise Admins FULL
> CONTROL
> <Inherited from parent>
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS
> <Inherited from parent>
> LIST
> CONTENTS
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS
> <Inherited from parent>
> LIST
> CONTENTS
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> computer <Inherited from parent>
> CREATE
> CHILD
> Allow COFCUUser1 SPECIAL
> ACCESS for
> computer <Inherited from parent>
> CREATE
> CHILD
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> gPOptions <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUIT Domain Administrators SPECIAL
> ACCESS for
> gPLink <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser1 SPECIAL
> ACCESS for
> gPOptions <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser1 SPECIAL
> ACCESS for
> gPLink <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> Public Information <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> Personal Information <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> groupType <Inherited from parent>
> WRITE
> PROPERTY
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS for
> displayName <Inherited from parent>
> WRITE
> PROPERTY
>
> Inherited to group
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS
> <Inherited from parent>
> READ
> PERMISSONS
> WRITE
> PERMISSIONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Inherited to user
> Allow COFCUExchange Enterprise Servers SPECIAL
> ACCESS
> <Inherited from parent>
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS
> <Inherited from parent>
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Inherited to group
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS
> <Inherited from parent>
> READ
> PERMISSONS
> LIST
> CONTENTS
> READ
> PROPERTY
> LIST
> OBJECT
> Inherited to user
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS for
> Logon Information <Inherited from parent>
> READ
> PROPERTY
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS for
> Account Restrictions <Inherited from parent>
> READ
> PROPERTY
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS for
> Group Membership <Inherited from parent>
> READ
> PROPERTY
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS for
> General Information <Inherited from parent>
> READ
> PROPERTY
> Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
> ACCESS for
> Remote Access Information <Inherited from parent>
> READ
> PROPERTY
> Allow COFCUHelp_Desk SPECIAL
> ACCESS for
> lockoutTime <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser3 SPECIAL
> ACCESS for
> lockoutTime <Inherited from parent>
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUHelp_Desk SPECIAL
> ACCESS for
> lockoutTime
> WRITE
> PROPERTY
> READ
> PROPERTY
> Allow COFCUUser3 SPECIAL
> ACCESS for
> lockoutTime
> WRITE
> PROPERTY
> READ
> PROPERTY
> The command completed successfully
Both http://support.microsoft.com/?id=294952 and
http://support.microsoft.com/?id=279723 should guide you how to do
this. It works for me!
However, why are the SIDs shown instead of the user/group names? Have
those users/groups been deleted?
Maybe a stupid remark, but did you assign the permissions to the
correct OU?
To see if it is correct check the permissions on the OU where you
delegated the permissions.
It should state
Type = ALLOW
Name = <group> or <user>
Permission = Read/Write Property (Read LockOutTime and Write
LockOutTime)
Inherited from = <not inherited>
Apply to = User Objects
The user objects you are trying to unlock should have permission
inheritance enabled
--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-trouble-delegating-unlock-rights-ftopict419246.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1400215
.
- References:
- trouble with delegating unlock rights
- From: jchildress
- trouble with delegating unlock rights
- Prev by Date: Re: Active Directory/DNS issue
- Next by Date: Re: Client Domain Switching between organizations?
- Previous by thread: Re: trouble with delegating unlock rights
- Next by thread: Client Domain Switching between organizations?
- Index(es):
Relevant Pages
|
