AD Delegation problems

From: "Randy Jackson" <rjackson@xxxxxxxxxxxxxx>
Date: Mon, 21 Jul 2008 12:11:25 -0400

I used the AD delegation wizard to give a security group permission to
create/modify/delete user objects and groups for a user and group OU. This
OU has several sub OU's.

After using the wizard I went back and switched my ADUC to advanced view and
modified the security list to prevent this group from deleting users and
creating/deleting groups by using the explicit DENY permission. I checked
the effective permission on the parent and child OU's for a user in the
security group and both show that they have the rights to create users but
not be able to delete them or create or delete groups.

I then have this user open ADUC and try and create a user and delete a user
from the parent OU. They are able to create but not delete a user, even a
user they created. They are also unable to create or delete groups, which is
great. However, in all of the child OU's, this user is able to delete user
objects, but the funny thing is they can not create groups.

Why is the delete user security setting not propogating down to the child
OU's? I went in and select for the "Deny delete user objects" to apply to
this container and all child objects, however that still does not work. I've
checked the "Delete" and "Delete subtree" options as well and set those to
Deny, still no luck.

Any one have any idea on how I can give this group the ability to create
users but to not be able to delete any object?

Also, I've given them the ability to create all child objects and denied
them the ability to delete any child object. I would like them to be able to
create a new user account and setup the Exchange mailbox with the user,
however even with being able to create all child objects on a user account,
they still can not select the store to place the user in when creating a new
account.

Thanks in advance for your help.

.

Follow-Ups:
- Re: AD Delegation problems
  - From: Jorge de Almeida Pinto [MVP - DS]

Prev by Date: FQDN as .com versus .local - Change?
Next by Date: My Docs redirection enables Offline Files which stops network acce
Previous by thread: FQDN as .com versus .local - Change?
Next by thread: Re: AD Delegation problems
Index(es):
- Date
- Thread

Relevant Pages

Re: Fax printer inaccessible
... Give "Print" permission to the security group on the shared fax printer. ... If it is a local user, it goes as anonymous to the server. ... >> with the default security settings, even if you have faxing permissions ...
(microsoft.public.win2000.fax)
Re: Distribution Groups changing to Security Groups
... Try to reapply the permission now that you have changed your domain mode. ... > security group with the same members, the last group will have the given ... >>Joe Richards Microsoft MVP Windows Server Directory Services ...
(microsoft.public.exchange2000.active.directory.integration)
RE: Home Folder - Users Shared Folders Issues
... even using security group. ... folder is combined with security permission and sharing permission. ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
Re: Txt and users levels?
... Is there a way to display on forms a message "You have permission to ... 'Determines whether UsrName is a member of a security group GrpName ... Dim IIG As Boolean ...
(microsoft.public.access.formscoding)
Re: OU Admin Rights
... If you remove the Allow permission on Delete Subtree for the OU, ... prevent them from deleting an OU that has child objects. ... We're having problems with OU Admins deleting entire OU's accidently. ...
(microsoft.public.windows.server.active_directory)