Re: Field greyed out when account ops try to unlock account
- From: "Richard Alexander" <copper_shotgun@xxxxxxxxxxx>
- Date: Wed, 7 Jun 2006 15:56:53 -0500
I ran the following command to try and restore inherit permissions at the ou
level and it said successfully completed, but if i go the user object and
look at permissions, they are still not inheriting.
dsacls ou=users,ou=city,ou="dist division",DC=company,DC=local /I:T
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%23lEIvTeiGHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
Oh as for the user not having the permissions on it, does the user have
inheritence enabled? If not, it is likely you are feeling the effects of
the adminsdholder functionality which you can google for, tons of
references to that now.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
i tried running
dsacls cn=enduser,ou=users,ou=city,ou=dist division
but i get an error that system cannot open device or file.
Tried on several different account with same result. I did look at the
advanced features through MMC and can see the security tab. The group
that i created has access at the container(inherited from site level),
but when i look at the security on the the user object it is not there.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eWYBksPhGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
Look at the permissions on the problem account with dsacls, that should
tell the story.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
I had another instance this morning of this problem. We had an account
that was locked out, but the 2 admins, could not unlock. Domain admin
had to unlock the account. This is in 2003, and the account was not a
member of a restricted account. Any help on this would be greatly
appreciated.
"Richard Alexander" wrote:
Just to clarify. I have 2 admins that are part of the account
aoperators group and occassionally someone will call in with a locked
account. They pull up the account properties and see the check there,
but it is greyed account and they cannot unlock. it is not one
particular userid, and it has happened several times to each one of
them. I have since taken them out of account operators and tried
using delegation with user manage rights to see if that resolves.
"Joe Richards [MVP]" wrote:
Dump the ACL of the user you can't modify with dsacls and post it
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
No just a regular user account. I thought maybe it was a
replication issue. Domain admins, never have the issue only the
people in account operators group..
"Joe Richards [MVP]" wrote:
Is the account the person trying to unlock also an accop or admin
or something like that? Is the ACL on the object a little different
from what you are used to seeing, say no inherited ACEs?
Google the term adminSDHolder
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
We are running a Server 2003 single domain structure and we have 2
servers at our corporate locations and 5 remote DCs at remote
locations all with a global catalog. Occasionally one of our
early morning staffers will need to unlock an account, but the
check box will be greyed out. I had them in the account operators
group from our old NT4 domain and read some things about
delegation. I setup a new group and did delegation but she had
the same issue this morning. I thought it might be something with
replication, but we have partial T1s to all the remotes, so I
don't think speed is an issue. Please respond as I'm out of
ideas.
Thanks
.
- Follow-Ups:
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- References:
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- From: Richard Alexander
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- Prev by Date: Time server configuration
- Next by Date: Re: Time server configuration
- Previous by thread: Re: Field greyed out when account ops try to unlock account
- Next by thread: Re: Field greyed out when account ops try to unlock account
- Index(es):
Relevant Pages
|
