Re: Delegation Assistance

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Fri, 20 May 2005 14:52:29 -0400

---

Yep that and other display/change deficiencies are why I wholeheartedly avoid doing any delegation from the GUI.

There are times where you try to delegate something through the GUI and you will get multiple ACEs added to the ACL when only one is truly needed. This is most evident when dealing with property sets.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Tim Kalligonis wrote:

Thanks Joe... I will try that as well.
I actually figured it out... When looking at the security on the OU for user objects I was looking for the attribute names. I come to find out that the security doesn't use the attribute name but the name that is displayed in the ADUC gui. Example - userPrincipalName is listed as Logon Name, samAccountName is listed as Logon Name (pre-Windows2000), and mailNickname is listed as alias.

Thanks.

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:OE5usaKXFHA.1468@xxxxxxxxxxxxxxxxxxxxxxx

Assuming the user accounts are in one OU (all one line)

subinacl ou_dn /I:S /G dom\grp:WP;sAMAccountName;user dom\grp:WP;userPrincipalName;user dom\grp:WP;mailNickname;user

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Tim Kalligonis wrote:

That is how I was trying to do it.... with dsacls or going to the security tab of the object.

The attributes don't correspond to what you can delegate (or give permissions to).

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:Oc5XCEoWFHA.2128@xxxxxxxxxxxxxxxxxxxxxxx

You can't use the wizard to do it. You will need to edit the security (right click properties and then security) on the OU level you want this delegation or you need to use dsacls which is a command line security tool.

 joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Tim Kalligonis wrote:

Without going into all the details as to why....

I need to be able to delegate the ability for an account to be able to modify the following attributes and only the following attributes on a group of user accounts.

sAMAccountName
userPrincipalName
mailNickName

After looking through the delegation on a user object (ADUC) it doesn't seem as though the items you can delegate correspond 1 to 1 with the actual attributes of the object. Example, I go to delegate on an OU and choose the User object, go to the properties tab and scroll through the entire list. I don't see any of these three attributes to delegate.

Does anyone know how I would be able to delegate the ability to change these three attributes on user objects?

Thanks,
Tim

.

---

• Follow-Ups:
  • Re: Delegation Assistance
    • From: Harold Miles

• References:
  • Delegation Assistance
    • From: Tim Kalligonis
  • Re: Delegation Assistance
    • From: Joe Richards [MVP]
  • Re: Delegation Assistance
    • From: Tim Kalligonis
  • Re: Delegation Assistance
    • From: Joe Richards [MVP]
  • Re: Delegation Assistance
    • From: Tim Kalligonis

• Prev by Date: Re: Windows Server 2003 domain controller in a Windows 2000 domain
• Next by Date: Re: User account that may generate computer accounts
• Previous by thread: Re: Delegation Assistance
• Next by thread: Re: Delegation Assistance
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Delegate auth via script results in "special" object type ... I'm not trying to delegate it to the user his/herself. ... >> user objects in the Finance OU. ... > Information Property Set to users as this is by default possible. ... > Visit Topic URL to contact author (reg. ... (microsoft.public.win2000.active_directory) Re: Delegation Assistance ... If you want to delegate the join, that is normally handled during the create of the computer object and you click the dialog to select who can do the join, my recommendation is to create a computer account without delegated join, then create one with delegated join and use dsacls to look at the ACLs on the two objects to see what is different. ... I come to find out that the security doesn't use the attribute name but the name that is displayed in the ADUC gui. ... Does anyone know how I would be able to delegate the ability to change these three attributes on user objects? ... (microsoft.public.windows.server.active_directory) Delegate rights to unlock accounts ... cannot find any security option on User objects to do this. ... to delegate and select "Delegate Control..." ... Choose "Only the following objects in the folder" and select "User Objects" ... This list of permissions does not include "Read lockoutTime" and "Write ... (microsoft.public.win2000.active_directory) Re: Delegating Control Question ... Not sure what information fields you are trying to delegate in Users... ... able to delegate any or all fields of user objects, ... (microsoft.public.win2000.active_directory) Re: problem delegating some user management power to a group ... What the Delegation Of Control Wizard dose is to modify the security for the ... >> You have to delegate the reset password right. ... >> Microsoft MVP - Directory Services ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-05