Re: Limit user access in SBS2003
- From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Nov 2006 01:27:49 +0000
Chace,
Thanks very much for the detailed answer... I have a much better
understanding now.
Are there tools though that can give an overview report of a users
assigned rights over a specific OU, or even a whole domain?
Adrian
chace zhang wrote:
Date: Tue, 14 Nov 2006 17:25:32 +0000.
From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Limit user access in SBS2003
Newsgroups: microsoft.public.windows.server.sbs
Hi,
Using the MMC, I'm trying to give access to User telephone numbers to HR.
I've used the MMC Author mode to create a New Taskpad View, and used
Delegate control to let my test user account to view the properties of
other users. I've done this several times now, so I think my test user
rights have gotten mixed.
But, an issue has appeared, my "testing user" account is a member of
domain users, but can now create/delete users - which I don't want.
So I've some questions:
1) How do I see what "privileges/rights" a specific user has?
2) How do I remove the rights I don't want them to have?
3) Can I create the MMC window so that a user can update/access another
users Telephone details, but not change any other User property (eg,
email addresses).
Thanks,
Adrian
Hi,
Hello Khant,
Thanks for posting in this newsgroup!
To verify if a role/permission was delegated to a user/group, you may
simply check if the user/group has the permissions you delegated on the
Security tab of the object.(You should enable view-Advanced Features first)
However, you might notice that members of users/groups do not inherit the
delegated permissions from the parent container. This behavior occurs
because if you set permissions using the Delegation of Control wizard,
these permissions are not applied to members of protected groups. As a
workaround, you may remove the users/groups from the protected group. This
workaround is recommended by Microsoft.
Below is the list of the protected groups in Windows Server 2003:
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
- Administrator
- Krbtgt
For details, please refer to the following MS KB article:
817433 Delegated permissions are not available and inheritance is
automatically
http://support.microsoft.com/?id=817433
To delegate the permissions to change user's title, phone number, fax, etc,
you can follow these steps:
1. Create the group or user account that you want to have the ability to
the property fields in Active Directory Users and Computers (for example,
Help Desk Admins).
2. Right-click the domain in Active Directory Users and Computers, and then
click Delegate Control from the menu that is displayed.
3. The Delegation of Control Wizard should be displayed. On the Welcome
dialog box, click Next.
4. On the Users and Groups dialog box, click Add. Select the group in the
list that you want to give the ability to change the property fields, and
then click OK. On the Users and Groups dialog box, click Next.
5. On the Tasks to Delegate dialog box, click "Create a custom task to
delegate", and then click Next.
6. On the "Active Directory Object Type" dialog box, click "Only the
following objects in the folder:". In the list, click "User objects" and
then click Next.
7. On the Permissions dialog box, click to clear the General check box, and
then click to select the Property-specific check box. In the Permissions
list, click to select the appropriate check boxes for the property fields
you want to delegate and then click Next.
8. On the "Completing the Delegation of Control Wizard" dialog box, click
Finish.
Below are the permissions for the property fields you listed:
Title:
----------
Read Title
Write Title
Phonenumber:
----------
Read Telephone Number
Write Telephone Number
Read Phone Number (Others)
Write Phone Number (Others)
Fax:
----------
Read Fax Number
Write Fax Number
Read Fax Number (Others)
Write Fax Number (Others)
More Information:
=======
315676 HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?id=315676
Hope the information above is useful. Have a nice day.
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Message-ID: <4559FC0C.5020204@xxxxxxxxxxxxxxxxxxxxxxx>
| Date: Tue, 14 Nov 2006 17:25:32 +0000
| From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
| MIME-Version: 1.0
| Subject: Limit user access in SBS2003
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: office.ubiquisys.com 193.164.180.102
| Lines: 1
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:312586
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi,
|
| Using the MMC, I'm trying to give access to User telephone numbers to HR.
|
| I've used the MMC Author mode to create a New Taskpad View, and used
| Delegate control to let my test user account to view the properties of
| other users. I've done this several times now, so I think my test user
| rights have gotten mixed.
|
| But, an issue has appeared, my "testing user" account is a member of
| domain users, but can now create/delete users - which I don't want.
|
| So I've some questions:
|
| 1) How do I see what "privileges/rights" a specific user has?
| 2) How do I remove the rights I don't want them to have?
| 3) Can I create the MMC window so that a user can update/access another
| users Telephone details, but not change any other User property (eg,
| email addresses).
|
| Thanks,
|
| Adrian
|
- Follow-Ups:
- Re: Limit user access in SBS2003
- From: chace zhang
- Re: Limit user access in SBS2003
- References:
- Limit user access in SBS2003
- From: Adrian Marsh (NNTP)
- RE: Limit user access in SBS2003
- From: chace zhang
- Limit user access in SBS2003
- Prev by Date: Re: share a network drive with clients
- Next by Date: RE: Simple ISA 2004 questions
- Previous by thread: RE: Limit user access in SBS2003
- Next by thread: Re: Limit user access in SBS2003
- Index(es):
Relevant Pages
|
