Re: Delegation in AD

From: JPM (jpm_at_yahoo.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 13:56:59 -0600

There is no deny anywhere - this is also a new user is the domain - a week
now.

"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
news:uxJGmAa%23EHA.2600@TK2MSFTNGP09.phx.gbl...
> There is no Deny entries in the ACL List set explicit to the OU, or
> inheritance? Deny entry's always overrides Allow, Lets say there is a Deny
> for Domain Users group, that's will override the Allow entry for your
> account in this case.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "JPM" <jpm@yahoo.com> skrev i meddelandet
> news:%23JFRiGZ%23EHA.3472@TK2MSFTNGP14.phx.gbl...
>> The OU has an ACL with the user - the user has FULL rights from that OU
>> and all below it.
>>
>>
>>
>> "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
>> news:%23kZNZwY%23EHA.2804@TK2MSFTNGP15.phx.gbl...
>>> Has the user of the account logged out/in to ensure the changes took
>>> place? Click View menu in Active Directory Users & Computers, Click View
>>> Advanced Features, Right Click the particular OU, Click Properties,
>>> Click Security Tab, and ensure the account is in the Security List (ACL)
>>> and have the correct permission.
>>>
>>> --
>>> Regards
>>> Christoffer Andersson
>>> Microsoft MVP - Directory Services
>>>
>>> No email replies please - reply in the newsgroup
>>> ------------------------------------------------
>>> http://www.chrisse.se - Active Directory Tips
>>>
>>> "JPM" <jpm@yahoo.com> skrev i meddelandet
>>> news:uQxqKqY%23EHA.3932@TK2MSFTNGP10.phx.gbl...
>>>> We have our AD broken up by region - in their own OU. I tried to
>>>> delegate a right to the Dallas OU to a user there, and I gave him ALL
>>>> rights (Delegations Wizard); however, he still did not have the rights.
>>>> Can someone tell me what's missing here?
>>>>
>>>> thx.
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Delegation in AD
    ... Deny entry's always overrides Allow, Lets say there is a Deny ... > The OU has an ACL with the user - the user has FULL rights from that OU ... >> Microsoft MVP - Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authentication to specific files/pages
    ... question regarding the allow/deny permissions. ... Because of deny always overrides ... when "deny everyone/the rest" overrides it. ... authentication, and then in the web.config file, use <authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Access Token with conflicting SIDs
    ... Basically deny overrides grant. ... If you have inheritance going on this gets a little trickier. ... An inherited deny can be overridden by an inherited grant that is applied lower in the hierarchy or by an explicit grant. ...
    (microsoft.public.platformsdk.security)
  • Re: Permissions Question
    ... Keep in mind than an explicit allow will override an inherited deny, ... is possible to configure permissions that way where the inherited deny box ... It overrides any other permission. ...
    (microsoft.public.win2000.security)
  • Re: Permissions Question
    ... except that an explicit allow overrides and inherited deny. ... > permissions, there are the Allow and Deny checkboxes. ...
    (microsoft.public.win2000.security)