Re: Win2k - Account Operator not working properly
- From: thawkz <thawkz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Oct 2005 10:40:02 -0700
Ok....here is current status:
1) Created a brand new user.
2) Verified new user has no special group memberships (only default
membership of domain users)
3) Used the delegation wizard, on the top level OU, to assign the desired
permissions.
4) Verified that the new user account can create/delete objects at this OU
level and OUs below it........
5) Verified that the new user account can modify objects at the top level OU
6) Verified that the new user account CANNOT edit previously existing
objects (reset passwords, modify account properties, etc.).
7) Ran DSACLS on the top level OU and received the following output (only
providing relevant parts of the dump--also changed domain name for privacy
purposes):
Allow DOMAIN\testacct SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN\testacct SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN\testacct SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN\testacct SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN\testacct FULL CONTROL
8) Ran DSACLS for a sub-level OU (3 levels down from top OU) and received
the following output (only providing relevant parts of the dump--also changed
domain name for privacy purposes):
Allow DOMAIN\testacct SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN\testacct SPECIAL ACCESS for user <Inherited from
parent>
CREATE CHILD
DELETE CHILD
Allow DOMAIN\testacct SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN\testacct SPECIAL ACCESS for user <Inherited from
parent>
CREATE CHILD
DELETE CHILD
Allow DOMAIN\testacct FULL CONTROL <Inherited from parent>
Allow DOMAIN\testacct Reset Password
Based on this output, are there some required permissions missing?
Thanks......
"Joe Richards [MVP]" wrote:
> The tool is a command line tool from Microsoft to enumerate the permissions on
> an object. It is much better than using the GUI because the GUI won't always
> display what is actually there. Also I wrote a vbscript for the refresh work I
> did on O'Reilly Active Directory Third Edition that does similar work but gives
> even more info on the security descriptors.
>
> DSACLS can both read and set permissions. It is part of the support tools
> offering. The latest version of DSACLS can be gotten from K3 SP1 or the ADAM
> install from the R2 Beta.
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> thawkz wrote:
> > I am not familiar with DSACLS dump.....what will that do for us? I suspect by
> > the name of the process, it will show the ACL list for a given object....just
> > curious, if after using the utility, there appear to be problems with the
> > permissions being applied to the object, how can it be corrected? Does DSACLS
> > have the ability to fix problems as well as identify them?
> >
> > Thanks.
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>Post a DSACLS dump of an OU of concern and what isn't happening in that OU that
> >>you expect should happen.
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>thawkz wrote:
> >>
> >>>....let me also add some details to my most recent post--we have multi-level
> >>>OUs....
> >>>I delegated control to Helpdesk group in the top level OU.....So, currently:
> >>>Helpdesk CAN modify/reset/create/delete accounts in the top-level OU.
> >>>Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW
> >>>accounts in OUs beneath the top-level OU.
> >>>Helpdesk CANNOT modify/reset existing accounts in the OUs beneath the
> >>>top-level OU.
> >>>Please feedback comments/questions......thanks for your help.
> >>>
> >>>
> >>>"thawkz" wrote:
> >>>
> >>>
> >>>
> >>>>Good enough.....One followup question......I used the delegate control wizard
> >>>>to grant the required permissions for the HelpDesk group. The members of the
> >>>>group can now create/delete/modify NEW user accounts and reset passwords for
> >>>>these accounts, but cannot create/delete/modify/reset passwords for any
> >>>>accounts that existed PRIOR to my running the delegate control wizard.....any
> >>>>ideas on a cause and a fix?
> >>>>Thanks.
> >>>>
> >>>>"Joe Richards [MVP]" wrote:
> >>>>
> >>>>
> >>>>
> >>>>>You shouldn't use acc ops because there are side effects that tend to mess
> >>>>>people up (see adminsdholder functionality) plus it was put there simply as a
> >>>>>holdover from NT.
> >>>>>
> >>>>>The proper way to handle this is to create one or more groups and delegate the
> >>>>>permissions needed to those groups and add admins to the groups as needed.
> >>>>>
> >>>>>--
> >>>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>>www.joeware.net
> >>>>>
> >>>>>
> >>>>>thawkz wrote:
> >>>>>
> >>>>>
> >>>>>>Running (an inherited) Windows 2000 Active Directory.
> >>>>>>Helpdesk staff needed permissions to manage user account/reset passwds, etc.
> >>>>>>Added Helpdesk staff users to Account Operators built-in group.
> >>>>>>Helpdesk staff still not able to manage user accounts/passwords, etc.
> >>>>>>Used the Delegate Control wizard as workaround...... but I would like to fix
> >>>>>>the issue with Account Operators--how can I make the sure the Account
> >>>>>>Operators built-in group has all of the required permissions? What settings
> >>>>>>do I check and where? (I suspect some of the default permissions for the
> >>>>>>Account Operators group have been modified, but I have no idea which
> >>>>>>ones....).
> >>>>>>Thanks.
> >>>>>>
> >>>>>
>
.
- References:
- Re: Win2k - Account Operator not working properly
- From: Joe Richards [MVP]
- Re: Win2k - Account Operator not working properly
- From: Joe Richards [MVP]
- Re: Win2k - Account Operator not working properly
- From: Joe Richards [MVP]
- Re: Win2k - Account Operator not working properly
- Prev by Date: re: External Trust Between Windows 2000 Native Domains (One with 2K servers, and one with 2K3 servers)
- Next by Date: Re: Login over WAN
- Previous by thread: Re: Win2k - Account Operator not working properly
- Next by thread: Re: Win2k - Account Operator not working properly
- Index(es):
Relevant Pages
|
