Re: Trusted for delegation --- Help

From: "Tyler" <none@xxxxxxxx>
Date: Thu, 1 Jun 2006 08:40:47 -0500

Thank you for your response. The only problem is that the user that is
trying to perform this setting change already has the "Write
msDS-AllowedToDelegateTo" but they are still unable to make the property
change.

Any other ideas?

Tyler

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23OxOpXChGHA.3572@xxxxxxxxxxxxxxxxxxxxxxx

That setting is part of the userAccountControl attribute (a bit flag in
it), so your users would need rights to modify that attribute.

If you want to do constrained delegation (which you should use if you
can), they'll need access to the msds-allowedToDelegateTo attribute. They
may also need rights to set service principal names (servicePrincipalName
attribute), depending on what you are doing.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Tyler" <none@xxxxxxxx> wrote in message
news:OpxvgyBhGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx

How do I delegate to a group the rights "Trust computer for delegation"
and "Account is trusted for delegation"?

We have a distributive OU model; each OU is the admin over that OU and
all with in that OU. I need a way to give the OU admin the right to click
the "Trust computer for delegation" for their computer objects and
"Account is trusted for delegation" for their users objects how do I do
that?

http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true

"To perform this procedure, you must be a member of the Domain Admins
group or the Enterprise Admins group in Active Directory, or you must
have been delegated the appropriate authority." How? Where?

Tyler

Follow-Ups:
- Re: Trusted for delegation --- Help
  - From: Joe Kaplan \(MVP - ADSI\)
- Re: Trusted for delegation --- Help
  - From: Tyler

Prev by Date: Re: Need to change SID on Domain Controller
Next by Date: Re: View user groups
Previous by thread: Re: Unknown Objects prevent replication
Next by thread: Re: Trusted for delegation --- Help
Index(es):
- Date
- Thread

Relevant Pages

Re: Trusted for delegation --- Help
... for delegation" or "Account is trusted for delegation" for the users object. ... Co-author of "The .NET Developer's Guide to Directory Services ... I need a way to give the OU admin the right to ...
(microsoft.public.windows.server.active_directory)
Re: Access Denied - Trusting Computer for Delegation To Services
... This is the problem, the account I'm using IS domain admin, as well as ... Enterprise Admin AND Schema Admin!So I can't understand why it won't let me ... user accounts to be trusted for delegation' user right on the default domain ... Co-author of "The .NET Developer's Guide to Directory Services ...
(microsoft.public.windows.server.active_directory)
Re: Access Denied - Trusting Computer for Delegation To Services - SORTED
... I tried with the default domain admin, which is usually disabled (we don't ... use the default domain admin account, instead we made a copy of it, called ... computer and user accounts to be trusted for delegation' user right on the ... Co-author of "The .NET Developer's Guide to Directory Services ...
(microsoft.public.windows.server.active_directory)
Re: Delegation Wizard
... > computers OU Built-In or not!! ... * Configure the delegation of control wizard as mentioned in the links ... * create separate admin accounts to perform admin tasks ... * Create an OU for the Admin roles and the admin tasks ...
(microsoft.public.win2000.active_directory)
Re: Security permissions bug or inheritant permissions??
... Take a look at the Delegation Whitepaper at MS Downloads. ... > We use delegated rights for other people in the IS department (for handling ... > to shrink our domain admin memberships. ... remove them from the domain admins group and use delegation to ...
(microsoft.public.win2000.active_directory)