Solved

Delegation Control- Checking permissions and getting it working with new updates

Posted on 2008-06-16
1
237 Views
Last Modified: 2012-05-05
We have a windows SBS Server 2003, with WSUS 3.1 installed. Previously we had delegated the sysadmin to take control over one Organizational Unit so he could take control over resetting of the passwords of the users in that particular OU. This seem to work all fine with ADMIN PACK 2003 installed on his machines until his machine and the server both were updates using the WSUS Server. His machine has now got XP SP3. Here are the 2 issues I am trying to solve -

1. The user that was delegated control can no longer reset passwords or disable/enable accounts for that OU. When he tried to do that, he gets an error saying - "Windows cannot disable object "%username%" because: insufficient access rights to perform the operation".
I have reassigned the delegation rights on that OU a couple of times with no luck. Also I have tried uninstalling and re-installing the admin pack on that machine.

2. I have checked the user permissions using ACL DIAG tool and the sys admin has got all the delegated permissions needed. What else can be the problem??

Also I just noted that he can create new users but cannot modify properties on existing user objects.
0
Comment
Question by:easynet07
1 Comment
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 21798380
Make sure that there is no explicit DENY for the user
0

Join & Write a Comment

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now