Re: Win2k - Account Operator not working properly
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 26 Oct 2005 00:21:26 -0400
The tool is a command line tool from Microsoft to enumerate the permissions on an object. It is much better than using the GUI because the GUI won't always display what is actually there. Also I wrote a vbscript for the refresh work I did on O'Reilly Active Directory Third Edition that does similar work but gives even more info on the security descriptors.
DSACLS can both read and set permissions. It is part of the support tools offering. The latest version of DSACLS can be gotten from K3 SP1 or the ADAM install from the R2 Beta.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
thawkz wrote:
I am not familiar with DSACLS dump.....what will that do for us? I suspect by the name of the process, it will show the ACL list for a given object....just curious, if after using the utility, there appear to be problems with the permissions being applied to the object, how can it be corrected? Does DSACLS have the ability to fix problems as well as identify them?
Thanks.
"Joe Richards [MVP]" wrote:
Post a DSACLS dump of an OU of concern and what isn't happening in that OU that you expect should happen.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
thawkz wrote:
....let me also add some details to my most recent post--we have multi-level OUs....
I delegated control to Helpdesk group in the top level OU.....So, currently:
Helpdesk CAN modify/reset/create/delete accounts in the top-level OU.
Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW accounts in OUs beneath the top-level OU.
Helpdesk CANNOT modify/reset existing accounts in the OUs beneath the top-level OU.
Please feedback comments/questions......thanks for your help.
"thawkz" wrote:
Good enough.....One followup question......I used the delegate control wizard to grant the required permissions for the HelpDesk group. The members of the group can now create/delete/modify NEW user accounts and reset passwords for these accounts, but cannot create/delete/modify/reset passwords for any accounts that existed PRIOR to my running the delegate control wizard.....any ideas on a cause and a fix?
Thanks.
"Joe Richards [MVP]" wrote:
You shouldn't use acc ops because there are side effects that tend to mess people up (see adminsdholder functionality) plus it was put there simply as a holdover from NT.
The proper way to handle this is to create one or more groups and delegate the permissions needed to those groups and add admins to the groups as needed.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
thawkz wrote:
Running (an inherited) Windows 2000 Active Directory.
Helpdesk staff needed permissions to manage user account/reset passwds, etc.
Added Helpdesk staff users to Account Operators built-in group.
Helpdesk staff still not able to manage user accounts/passwords, etc.
Used the Delegate Control wizard as workaround...... but I would like to fix the issue with Account Operators--how can I make the sure the Account Operators built-in group has all of the required permissions? What settings do I check and where? (I suspect some of the default permissions for the Account Operators group have been modified, but I have no idea which ones....).
Thanks.
.
- Follow-Ups:
- Re: Win2k - Account Operator not working properly
- From: thawkz
- Re: Win2k - Account Operator not working properly
- References:
- Re: Win2k - Account Operator not working properly
- From: Joe Richards [MVP]
- Re: Win2k - Account Operator not working properly
- From: Joe Richards [MVP]
- Re: Win2k - Account Operator not working properly
- Prev by Date: Re: How many ACEs are too many?
- Next by Date: Re: Have found two different accounts in my AD with duplicate SID and GUID!
- Previous by thread: Re: Win2k - Account Operator not working properly
- Next by thread: Re: Win2k - Account Operator not working properly
- Index(es):
Relevant Pages
|
