Re: Delegating control

From: "chriss3 [MVP]" <nospamhere_chrisse@xxxxxxxxxx>
Date: Fri, 22 Sep 2006 14:12:05 +0200

You may have a Deny ACL that prevents the Allow ACL?

Did you tried my suggested dsacls command?

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"boxer" <jutro@xxxxxxxxxxxxxx> wrote in message news:%238oecOi3GHA.4588@xxxxxxxxxxxxxxxxxxxxxxx

Yes I did...

I selected one user, in "Apply on to" I select "User objects" and click property :

Read and write Phone and mail options.

And it still can not ??

"chriss3 [MVP]" <nospamhere_chrisse@xxxxxxxxxx> wrote in message news:D9E0C957-4364-4F66-BDE3-FE4ED61B23D4@xxxxxxxxxxxxxxxx
Hello
You can modify the security within AD Users and Computers by first click the View menu and select advanced mode. Right Click the particular OU where you what the delegation to take place, Click the Security Tab, Click Advanced and grant a security principal (users, group, computer) Read and Write object to the mail attribute and have it applied to child objects, or only to user objects if you only want to delegate the ability to modify the mail attribute on user accounts.

You can also use the command line based tool dsacls with the following syntax:
dsacls "<ContainerPath>" /I:S /G "<domain>\<alias>:RPWP;mail;user"

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"aj" <aj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A6078983-4F53-4B8E-BA3A-814B5D5C6D45@xxxxxxxxxxxxxxxx
Please help :)

I want to set delegation for one user who must enter email adresses in
active directory account, but only that.

Email adressess are in "General" tab of account properties and even I set
delegation with "Delegate Control wizard", then set that this user can Read
and write General properties USER can not write on column Email.

Thanx in advanced

Igor

Follow-Ups:
- Re: Delegating control
  - From: boxer

References:
- Re: Delegating control
  - From: chriss3 [MVP]
- Re: Delegating control
  - From: boxer

Prev by Date: Problem with Custom MMC
Next by Date: Re: Single user issue; best troubleshooting
Previous by thread: Re: Delegating control
Next by thread: Re: Delegating control
Index(es):
- Date
- Thread

Relevant Pages

Re: Where are the exchange attributes for user objects?
... Microsoft MVP - Directory Services ... I need to know where to set permissions for the exchange> attributes on the user objects. ...
(microsoft.public.exchange.admin)
Re: Calling NetUserGetInfo from ASP.NET app
... ImpersonateLoggedOnUser using the username and password passed to the web ... Also, when using basic auth, you aren't really using Kerberos delegation ... Co-author of "The .NET Developer's Guide to Directory Services ... although calling the WinNT provider and NetUserGetInfo both ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Calling NetUserGetInfo from ASP.NET app
... I am using Integrated Windows Authentication, ... you wouldn't need delegation to work. ... I also enabled logon auditing in the local ... Co-author of "The .NET Developer's Guide to Directory Services ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Delegation of Control
... MVP - Directory Services ... Somewhat of a newbie here with Delegation of Control. ... give them access to active directory from a remote pc to make changes ... They are local administrators on there computer but I ...
(microsoft.public.windows.server.active_directory)
Re: Trusted for delegation --- Help
... If you want to do constrained delegation (which you should use if you ... they'll need access to the msds-allowedToDelegateTo attribute. ... Co-author of "The .NET Developer's Guide to Directory Services ... I need a way to give the OU admin the right to click ...
(microsoft.public.windows.server.active_directory)