Re: Trusted for delegation --- Help

Do they have rights to change userAccountControl? That is where the
delegation flags are actually set.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Tyler" <none@xxxxxxxx> wrote in message
news:u4Fe%23DYhGHA.1612@xxxxxxxxxxxxxxxxxxxxxxx
Thank you for your response. The only problem is that the user that is
trying to perform this setting change already has the "Write
msDS-AllowedToDelegateTo" but they are still unable to make the property
change.



Any other ideas?



Tyler



"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23OxOpXChGHA.3572@xxxxxxxxxxxxxxxxxxxxxxx
That setting is part of the userAccountControl attribute (a bit flag in
it), so your users would need rights to modify that attribute.

If you want to do constrained delegation (which you should use if you
can), they'll need access to the msds-allowedToDelegateTo attribute.
They may also need rights to set service principal names
(servicePrincipalName attribute), depending on what you are doing.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Tyler" <none@xxxxxxxx> wrote in message
news:OpxvgyBhGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
How do I delegate to a group the rights "Trust computer for delegation"
and "Account is trusted for delegation"?



We have a distributive OU model; each OU is the admin over that OU and
all with in that OU. I need a way to give the OU admin the right to
click the "Trust computer for delegation" for their computer objects and
"Account is trusted for delegation" for their users objects how do I do
that?



http://technet2.microsoft.com/WindowsServer/en/Library/220e1370-9e39-4b4c-a2a9-5295d21591991033.mspx?mfr=true



"To perform this procedure, you must be a member of the Domain Admins
group or the Enterprise Admins group in Active Directory, or you must
have been delegated the appropriate authority." How? Where?





Tyler










.

Relevant Pages

  • Re: Calling NetUserGetInfo from ASP.NET app
    ... Also, when using basic auth, you aren't really using Kerberos delegation ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Not sure if I like this method, but I switched to basic authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Trusted for delegation --- Help
    ... so your users would need rights to modify that attribute. ... If you want to do constrained delegation, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... We have a distributive OU model; each OU is the admin over that OU and all ...
    (microsoft.public.windows.server.active_directory)
  • Re: Calling NetUserGetInfo from ASP.NET app
    ... for delegation with any protocol and can delegate to the services you need ... If you are going to have plaintext credentials, ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web Single Sign On
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... current Windows credentials to the server, ... This common identity is the user's username used to logon to the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Changing ADAM user password
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Running the bind from another W2K3SP1 machine ... support in digest or something like that. ...
    (microsoft.public.windows.server.active_directory)