Re: Account Management Delegation

Thank you for your kind reply.

I have already red that article, but I didn't follow the istructions.
The reasons are:

[1]
I'm already able to see the pwdlastset propertiy (read/write) for the "user
object".
If I want I can flag only that properties.

[2]
I have given the user even "full control".
With "Full Control" I usually mean "User can do everything". No other flag
to set.
After applying the full control, I checked the pwdlastset properties
(read/write) and were checked like all the others.

Even in this condition the user is unable to clear that flag.

If I create a fresh new OU and a fresh new user, I assign "full control" to
the new user on the new OU... I still have that problem.

"Domain Admins" don't suffer this behaviour... really don't know.

Thank you for your help
SubnetJO




"Meinolf Weber" wrote:

Hello SubnetJO,

See here:
http://support.microsoft.com/kb/296999

Also have a look here for creating your own taskpads:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hi All.
I have a forest with 2 domains.
I want to grant some users to manage the account properties of the
users
under a OU.
When the delegated user checks "user must change password at next
logon",
there is no problem. He applies the setting and everything goes fine.
If the same user wants to clear the same property he applied the
minute
before he receives the following error:
"The following Active Directory error occurred: Access is Denied"

I set the permissions manually and after using the "Delegation
Wizard", but the result I achieve is always the same.

I tried, always using both methods, to give ALL the permissions to the
delegated users, but they always receive the that error message.
In the security tab of a user account the delegated users should be
able to
manage, I can read they have (even) "full control"!
But they cannot change the state of any Account properties flag.
If I try the same activity with my "Domain Admins" account everything
works, but I don't want to grant that users with so high privileges.

Why users who have "Full control" (also verified with the "effective
permissions" tab) over an object, can't manage it?
Any idea?
Thanks you all for your precious help.
SubnetJO



.

Relevant Pages

  • Re: Account Management Delegation
    ... I tried, always using both methods, to give ALL the permissions to the ... In the security tab of a user account the delegated users should be ... But they cannot change the state of any Account properties flag. ... Why users who have "Full control" (also verified with the "effective ...
    (microsoft.public.windows.server.active_directory)
  • only in vertical on continuous form?
    ... form use some queries to write each non null field to a table. ... How can i loop through the control values and read/write the records to ...
    (microsoft.public.access.forms)
  • Re: form versions on different logoned users?
    ... In my case, I only had to deal with three groups; Read, Read/Write, ... usercontrols based on each control that needed the security. ... > my question is, user A belongs to group A, user B belongs to group B. ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: read()/write() versus recv()/send()
    ... > fxn@hashref.com (Xavier Noria) wrote: ... >>If you don't need that additional control, ... send/recv because read/write is *not* allowed for sockets on that OS. ...
    (comp.unix.programmer)
  • Re: Custom Combo Box
    ... As an response to the answers given: is there any way of programmatically ... setting the Control Panel->Display->Appearance values? ... SystemParametersInfo(), which is read/write, but there seems to be no Set ...
    (microsoft.public.vb.winapi)
Quantcast