Re: Delegating Administration to a user.

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Again, get a DSACLS dump, there are so many ways this can be screwed up we could be guessing at things to check for a week. The DSACLS dump will show exactly what may be wrong if anything with the delegation.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Michael wrote:
There are no deny access to either the target user or my test user. I also noticed that all the fields are greyed out not just the account boxes where lockout it located at.

"admp.team@xxxxxxxxx" wrote:

Hi,

Right Click -> Properties -> Security --> Advanced Tab of that
particular OU and check any "Deny" Type ACE is present for that user.

Adam,
ADManager Plus Team.

On Feb 20, 3:55 am, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
Get and paste the text of a dsacls dump so we can see the actual delegation.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Michael wrote:
I have a user that I want to delegate the ability to create/delete users in
his OU, disable his accounts, and unlock user accouonts.
I did the delegate wizard in users and computers and the user can create the
account but cannot unlock a locked account. placed a check box in all
objects under delegate the following common tasks:
I also went under crate a custom task to delegate and gave full control to
all objects and this still had no effect.
Any suggestions would be greatly appreciated.
Thanks


.

Relevant Pages

  • Re: Delegating Administration to a user.
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... I did the delegate wizard in users and computers and the user can create the ... account but cannot unlock a locked account. ... objects under delegate the following common tasks: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating Administration to a user.
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... I did the delegate wizard in users and computers and the user can create the account but cannot unlock a locked account. ... placed a check box in all objects under delegate the following common tasks: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unlock acct permissions
    ... It may actually be the best of the bunch but it is very old now so it is mostly about those GOOD FUNDAMENTALS that one needs and which Joe referenced. ... >>>Overall you appear to be a very "green" admin and you should buy one or more>>>books and learn this stuff before you do too much more. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... How do I get DSACLS to run on a specific account? ...
    (microsoft.public.win2000.active_directory)
  • Re: Field greyed out when account ops try to unlock account
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... Richard Alexander wrote: ... After i read up on delegation, I removed them from the account operators group and created a new group called xxx-accops and then delegated permissions on the OUs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Field greyed out when account ops try to unlock account
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... Richard Alexander wrote: ... After i read up on delegation, I removed them from the account ...
    (microsoft.public.windows.server.active_directory)