Re: Help with proper delegation settings

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 11/16/04 

Date: Tue, 16 Nov 2004 21:15:19 -0000

You'll need modify permissions. Create and delete doesn't simply equal
modify ;-)

I'm not in front of a server right now, but you can't always get the
permissions you need through the wizard. Sometimes you have to goto the
object's security tab and view advanced permissions. 

-- 
Paul Williams
http://www.msresource.net
http://forums.msresource.net
"David Doumani" <ddoumani@verizon.net> wrote in message 
news:eqtT0TBzEHA.1260@TK2MSFTNGP12.phx.gbl...
We have a Windows 2003 Native Mode Active Direcotry in our organization; set
up is pretty basic.  I have created a OU called OrganizaitonComps and under
that we have 2 OU's; general population and LockDown.
I delegated control to a group called AddComputerAccounts the ability to Add
and Delete workstations to the domain at both the Computers OU and the
OrganizationComps OU.   I did this by opening the AD Users and Computers
tool; Launching the Delegation Wizard; Created a Custom Task to Delegate;
Only the following Objects and selected computer objects and checked off the
create and delete tabs.
The users can add accounts to the domain just fine; but we are in the midst
of a PC-Refresh and the process is to go to "suzies" desk; take her computer
and move it into a workgroup and then unplug it and replace the pc with the
new one;  when the try to add it to the domain using the name of the old
computer they get "access is denied" messages but if I delete the computer
account that was "suzies" they can add it just fine.
I basically want the ability to allow them to "overwrite" a computer object
so they can conform to the naming standards...  as a work around they are
adding an "a" or a "1" to the end of the old name which is leaving orphaned
accounts in the directory as well as deviating from our standard.
Any help is appreciated.

Relevant Pages

  • Re: Help with proper delegation settings
    ... I gave them modify permissions and now instead of getting access denied they ... >> Paul Williams ... >> accounts in the directory as well as deviating from our standard. ...
    (microsoft.public.windows.server.active_directory)
  • Re: File Sharing (again - sorry, Pd)
    ... InTerminal, type umask. ... Back in the good old days, Mac OS X user accounts ... The reason that the file permissions are "resetting" each time the ... that folder inherit the ACLs from the folder. ...
    (uk.comp.sys.mac)
  • Re: Security Group Keeps getting removed???
    ... ACL on all security principals (users, groups, and machine accounts) present ... Delegated permissions are not available and inheritance is automatically ... AdminSDHolder Object Affects Delegation of Control for Past Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating AD Rights (Enable/Disable Accounts)
    ... I will definitely pass it on to my Customer ... user accounts in AD to non-admin staff so that they will be able to ... permissions as Domain User rights will work just fine. ... The UMRA ...
    (microsoft.public.windows.server.scripting)
  • Re: Delegation - Password Reset - Access Denied
    ... If you go to properties of an AD object, select the security tab and click ... on advanced you should be on the permissions tab. ... WARNING - Any implicit permissions defined will be lost and reset back to ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)