Re: Permission

Thanks, this really helps. I can see rights now. What I found is that even
if OU has right security, some users in that OU which were in there don't
have this rights. I wondering why theese rights not propagate down to
users? Or it will apply only to new users in this OU? How can I propagate
rights to users?




Thu, 11 Aug 2005 07:42:12 -0700, Hutch ΞΑΠΙΣΑΜ:

> Open your MMC console for ADUC. In the View option, select Advanced View.
> Then Right Click on your Test OU...there should now be a Tab labelled
> Security. I believe if you look in the security settings, you should now see
> all accounts/groups that have access to that OU.
>
> Your Test account should be there. Select the account, go to properties and
> advanced. You can see/edit all the rights that were given to test.
>
> "Hutch" wrote:
>
>> Hmmm...I've never used the delegate priviledges for that purpose. But for
>> our tech staff, specifically those imaging PC's, I have delegated the ability
>> to Create Computer objects, but not to delete them (I don't want them
>> overwriting an existing account).
>>
>> I would hazard a guess that it is just the delegate priviledges that have
>> been assigned that are incorrect.
>>
>> Try this...make a Test OU, and a test user account inside that OU. Then
>> delegate on the OU, giving your test user account full access. The test
>> account should then have rights to modify itself and only itself. I would
>> then start removing rights until you get the configuration you want.
>>
>> Once those settings have been documented, it should be easy to apply them to
>> the live accounts, etc.
>>
>> Not sure if that helps or not.
>>
>> "Sergey Dashko" wrote:
>>
>>> Tue, 9 Aug 2005 11:09:41 +0100, Harold ΞΑΠΙΣΑΜ:
>>>
>>> > I want to grant a user right to read and write all prperties but didn't
>>> > work when I used Delegation control wizard.
>>> >
>>> > Caro
>>>
>>> Hi.
>>> I have the same problem.
>>> I have ritten in many place that by default user should be able to edit
>>> some property of himself. Like phone and else. But it doesn't work for me.
>>> I have AD on W2k3 with SP1. I also have tried to make it possible through
>>> Delegation wizard as says in http://support.microsoft.com/?kbid=272198 but
>>> not successfull.
>>>
>>> Sergey
>>>
.

Relevant Pages

  • Re: User Accounts
    ... account that surfs the web, and confining everything that comes down the ... Especially since folder permissions has less downside risk than filtering ... >every tool and feature in XP to lock down security as best as is possible. ... and settings do not stay the same when user account rights ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User Accounts
    ... >every tool and feature in XP to lock down security as best as is possible. ... code that is exposed to the "outside", the higher the risk of exploit. ... If I limit an account in XP Home, it falls back to hiding paths, ... and settings do not stay the same when user account rights are ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Users vs Software
    ... You need to have both an admin and a limited account ... >> as a limited user, to effect, "the software has not been installed ... The users do not have rights to install programs. ...
    (microsoft.public.security)
  • Re: an account to run netdom
    ... I have already delegate a user with create computer rights in the computer OU, is there any other rights I need to assign? ... I am getting "access denied" when I try to use that account to join domain. ...
    (microsoft.public.windows.server.active_directory)
Loading