Re: Delegate remote access permission

Try it yourself...

Through ADSIEDIT I was able to set the attribute to true/false/not set
which corresponds to Allow Dial-in/Deny Dial-in/Through Policies

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Allan Tee" <AllanTee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FDD090D8-0800-46DC-AD52-CA497CF882A8@xxxxxxxxxxxxxxxx
Hi Jorge!

That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"

did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?

Thanks for following up on this!



"Jorge de Almeida Pinto [MVP]" wrote:

just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23JsYp4UNGHA.3832@xxxxxxxxxxxxxxxxxxxxxxx
I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Allan Tee" <AllanTee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4A015877-4F99-4175-8233-E4FCC2D43568@xxxxxxxxxxxxxxxx
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right
to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

"Allan Tee" wrote:

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write
msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

"Jorge de Almeida Pinto" wrote:

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer].
You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change
the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------








.

Relevant Pages

  • Re: migration AD 2000 to 2003
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Jorge de Almeida Pinto wrote: ...
    (microsoft.public.win2000.active_directory)
  • Re: Changing the Display Name Created using ADUC (2003)
    ... so let's say you WANT to make sure the samaccountname only consist of ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... Jorge de Almeida Pinto wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: migration AD 2000 to 2003
    ... Jorge de Almeida Pinto wrote: ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... which one and i didn't see any after the preparation). ...
    (microsoft.public.win2000.active_directory)
  • Re: User Password changed
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... "Jorge de Almeida Pinto " wrote in message news:... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate remote access permission
    ... I tried setting true/false/not set for NPAllowDialin attribute via Adsiedit. ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... what do you mean with "setting msNPAllowDialin still didnt grant our ...
    (microsoft.public.win2000.active_directory)
Loading