Solved

AD delegation

Posted on 2008-10-23
4
229 Views
Last Modified: 2012-05-05
I have been asked to look into delegating access to certain sections of AD in order to allow priviledges users to update information on a per user basis (General, address, telelphone and organisation tabs)

I have started off by giving my test user a custom task "this fodler, exisintg objects, and creation of new objects in the folder" I intend to change this longer term, but just wanted to try it out for testing.

so the user has access to each user properties page and I can amend details as iw ould expect, but on other users with the same OU all the tabs are greyed out, the users all appear to be identical and I believe they were all created at the same time (recent migration) Can anyoen tell me why the properties page for some users is all greyed out and how I can reolve this please?

Windows 2003 64bit SP (AD server) opening the console on a Citrix PS4.5 client session.  If you need further info let me know.
0
Comment
Question by:cntboys
  • 2
4 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22788172
r u sure the delegation permission is inherited to all the sub ou's and objects ?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22792189
If the greyed-out users are, or have ever been, members of any protected group such as Account Operators, Administrators, or Domain Admins, then this behavior is by design. See the following for more information: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 

Author Comment

by:cntboys
ID: 22811605
Thanks for the replies, Iw as out fo the office rfiday so didnt get chance to look at this.

It is possible (although unlikely) that these users were ever admins, if this was the case thoguh, would I be able to re-apply the permissions so the delegates can manage the accounts?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22811952
Did you read the link that I referenced above? It describes several workarounds to allow delegated permissions to apply to protected accounts.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question