Re: Delegating control

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

No i did not try dsacls ...

OK I will try it and inform you..

Thanx


"chriss3 [MVP]" <nospamhere_chrisse@xxxxxxxxxx> wrote in message
news:1AA63058-2D96-44B0-9D6E-D6AB575A1F9C@xxxxxxxxxxxxxxxx
You may have a Deny ACL that prevents the Allow ACL?

Did you tried my suggested dsacls command?

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"boxer" <jutro@xxxxxxxxxxxxxx> wrote in message
news:%238oecOi3GHA.4588@xxxxxxxxxxxxxxxxxxxxxxx
Yes I did...

I selected one user, in "Apply on to" I select "User objects" and click
property :

Read and write Phone and mail options.

And it still can not ??



"chriss3 [MVP]" <nospamhere_chrisse@xxxxxxxxxx> wrote in message
news:D9E0C957-4364-4F66-BDE3-FE4ED61B23D4@xxxxxxxxxxxxxxxx
Hello
You can modify the security within AD Users and Computers by first click
the View menu and select advanced mode. Right Click the particular OU
where you what the delegation to take place, Click the Security Tab,
Click Advanced and grant a security principal (users, group, computer)
Read and Write object to the mail attribute and have it applied to child
objects, or only to user objects if you only want to delegate the
ability to modify the mail attribute on user accounts.

You can also use the command line based tool dsacls with the following
syntax:
dsacls "<ContainerPath>" /I:S /G "<domain>\<alias>:RPWP;mail;user"

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"aj" <aj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6078983-4F53-4B8E-BA3A-814B5D5C6D45@xxxxxxxxxxxxxxxx
Please help :)

I want to set delegation for one user who must enter email adresses in
active directory account, but only that.

Email adressess are in "General" tab of account properties and even I
set
delegation with "Delegate Control wizard", then set that this user can
Read
and write General properties USER can not write on column Email.

Thanx in advanced

Igor






.

Relevant Pages

  • Re: granting anonymous access persmissions on the partition head
    ... Microsoft MVP - Directory Services ... > In the Microsoft doc "How Active Directory Application Mode Works", ... > you can grant anonymous access to an entire partition with DSACLS. ... > No Sid Found for NT AUTHORITY/ANONYMOUS LOGIN ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation of Administrative Tasks
    ... > I've got a problem with delegation the administration of company-wide ... > contacts created in active directory and enabled for Exchange 2000: ... > Microsoft Active Directory - Exchange Extension ...
    (microsoft.public.exchange2000.admin)
  • Re: Avoiding password history setting
    ... I am spending most of my time right now putting the final touches on O'Reilly's Active Directory 3rd Edition. ... They should have a setting to specify history in the product itself, you shouldn't need to use the domain policy for that to be enforced. ... Further, I know their product works with a delegated account, I wouldn't let them use anything else and they had to correct the product to work. ... As for delegation, there is nothing that walks through every single possible thing you can click on as it is extensiable. ...
    (microsoft.public.windows.server.active_directory)
  • Re: IIS 6 Cannot Access Remote Files with the FileSystemObject
    ... it is not possible to enable delegation without Active Directory. ... delegation is to create trust between two machines -- and without a mutually ...
    (microsoft.public.inetserver.iis)
  • Re: accessing Active Directory
    ... I find the document and tried to apply the delegation in the active directory ... then I made the web server computer to be trusted for delegation ... then you can use a service account instead. ...
    (microsoft.public.dotnet.security)