Re: Access Denied - Trusting Computer for Delegation To Services - SORTED
- From: "Ben" <benb@xxxxxxxxxxxxxxxx>
- Date: Fri, 7 Dec 2007 11:24:00 -0000
OK got this sorted!
I tried with the default domain admin, which is usually disabled (we don't
use the default domain admin account, instead we made a copy of it, called
something non administrative looking, then disabled the default admin
account, so people can't guess the account by looking for SID 500), and it
worked, I was able to delegate cifs & HOST to the web server.
Strangely, after trying with the default admin account, I tried again with
the replacement admin account and it worked!
Thanks for the help
Ben
"Ben" <benb@xxxxxxxxxxxxxxxx> wrote in message
news:eCGOAYLOIHA.5264@xxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,
Thanks for your reply.
This is the problem, the account I'm using IS domain admin, as well as
Enterprise Admin AND Schema Admin!So I can't understand why it won't let
me set this delegation. I've even added the account to the 'Enable
computer and user accounts to be trusted for delegation' user right on the
default domain policy.
Any ideas?
Ben
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23c9ehpFOIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
I think you need to be a domain admin to set this flag on a user or
computer account. You can't delegate this locally. I think your domain
admins could potentially delegate this right to other users.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Ben" <benb@xxxxxxxxxxxxxxxx> wrote in message
news:eo6MqhCOIHA.6108@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I've setup some virtual directories in an IIS6 web site, which I would
like our users to be able to access externally. Having read the
following article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx, I
am trying to setup delegation on the web server via active directory,
however, I have run into an error when performing the delegation steps
to assign the webserver 'trust this computer for delegation to specified
services only'. When I add the services, CIFS & HOST from the file
server, then click apply, I get an error: "The following Active
Directory error occurred: Access is denied".
Having googled around I found a post that said I had to add the 'Enable
computer and user accounts to be trusted for delegation' user right to
the default domain controller policy (Computer configuration > Windows
Settings
Security Settings > Local Policies > User Rights Management > Enablecomputer and user accounts to be trusted for delegation), which I did.
However, even after running a GPUPDATE /FORCE on the domain controller I
still get the above error.
Does anyone know how to fix this error?
Many thanks
Ben
.
- References:
- Prev by Date: Re: Enforce Password Aging... Gracefully
- Next by Date: Re: Remote Desktop rights to Member Servers via GPO
- Previous by thread: Re: Access Denied - Trusting Computer for Delegation To Services
- Next by thread: RE: allow certain users to logon to computers
- Index(es):
Relevant Pages
|
