Re: 2003 Server Client/Delegation and Data Issues

Hi Ace,

The test account has the same issue as the junior admin. The lockout is
grayed out. The AD information is up to date - I could view the account I
had just created, and all else looked fine. Good test - it appears it's not
the group, so I guess we're left with something denying all users, or
something on the win23k server? I could not get the old win2k box on line
due to other commitment. I will still go for that. If it's works, that
would eliminate the denying all users possibility and leave the win23k
server. If you have other ideas about what I can look at, I would be
grateful.

Thank you!

Diane
"Ace Fekay [MCT]" wrote:

"Diane" <Diane@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9C017A2C-DC69-4571-8B7A-7DB7F4B6C95E@xxxxxxxxxxxxxxxx
Hello again Ace -

I'm sorry I have not been in touch for a few days. I got redirected to a
user with a huge data load for an application. That is under control, so
I
am back looking at AD.

A few updates - The win2003 server is now showing the proper AD data. I
really don't know what caused this change, but it is for the better. The
junior admin still cannot unlock - the last issue. As I learn my way
around
AD, I am starting to suspect a permissions conflict as I have poked around
further into the various groups this user is a member of. This may be a
case of a little knowledge being dangerous as I can clearly see there is a
ton to learn here - if you can bear with me, this is what I observed.

The jr admin is a member of the Remote Desktop Users group at the domain
level which has no AD permissions. On the win23k server, there is also a
local Remote Desktop Users group. I added the junior admin group to the
local Remote Desktop to give them terminal services access. That works
fine.
Logging on as the administrator on the win23k server, I can look at the jr
admin and see she has the read/write lockout capability as a member of the
jr
admins group (properties/advanced/effective permissions). When I look at
her
remote desktop group effective permissions, that permission does not
exist.
I did some research on permission precedence and my head is now spinning.
I
saw that precedence started with the local system and worked up to the
domain. I know there are also various places where I can allow
inheritance.
If you think this is a reasonable source of the problem, could you please
jot
down what needs to be set where for inheritance and permissions on the
domain
and local system? I also noted a few entries with account unknown with a
red
question mark. My "keep things clean" attitude really wants to delete
them,
but I could not find a good description of why they occur and if it's OK
to
just delete them. I would very much appreciate it if you could point me
to a
resource, or help me understand their source.

Thank you very much for your continuing help and support.


Ok, it seems like permissions may be the issue.

As a test, create a plane old Domain User account. Don't add it to the
Remote Desktop group. Delegate the account to the OU with the same tasks as
you did the other one that's not working. On a test desktop, follow the
procedure I previously posted about just adding the ADUC to the machine,
that is if the adminpak has not been installed yet, if it is, no problem.
Open ADUC console, and test it.

If it works, that's good.

Then remove the account from the OU's Security tab. Then add the test
account to the Jr Admin Group, and log out the account, then log back in,
and test it again. If it works, then it's something on the Windows 2003
server causing it. If it doesn't work, then something's denying that group.

As for permissions guidelines, as long as she has permissions by being in
the Jr Admin Group, and not denied in any other group, whether the group has
the permissions or not, she will have the permissions in AD because
permissions are accumulative, meaning the account gets all permissions in
all the groups that it's been added.

I hope that helps.

Ace



.

Relevant Pages

  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied ... I then added full permissions to my user account on both of these keys, ... that's for every app pool you create for every new web app on the ... local admin rights to the server hosting incoming email. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: NTFS owner problem
    ... power options, ... permissions that control access. ... to which any admin account should have full access. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Finding a Hacker
    ... compromising the loca or domain admin acocunts, or by elevation, ... to get local admin rights on the machine used by the domain admin, ... If the hacker did get in remotely using an administrator account on ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
Loading