Solved

AD delegation

Posted on 2008-10-23
4
231 Views
Last Modified: 2012-05-05
I have been asked to look into delegating access to certain sections of AD in order to allow priviledges users to update information on a per user basis (General, address, telelphone and organisation tabs)

I have started off by giving my test user a custom task "this fodler, exisintg objects, and creation of new objects in the folder" I intend to change this longer term, but just wanted to try it out for testing.

so the user has access to each user properties page and I can amend details as iw ould expect, but on other users with the same OU all the tabs are greyed out, the users all appear to be identical and I believe they were all created at the same time (recent migration) Can anyoen tell me why the properties page for some users is all greyed out and how I can reolve this please?

Windows 2003 64bit SP (AD server) opening the console on a Citrix PS4.5 client session.  If you need further info let me know.
0
Comment
Question by:cntboys
  • 2
4 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22788172
r u sure the delegation permission is inherited to all the sub ou's and objects ?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22792189
If the greyed-out users are, or have ever been, members of any protected group such as Account Operators, Administrators, or Domain Admins, then this behavior is by design. See the following for more information: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 

Author Comment

by:cntboys
ID: 22811605
Thanks for the replies, Iw as out fo the office rfiday so didnt get chance to look at this.

It is possible (although unlikely) that these users were ever admins, if this was the case thoguh, would I be able to re-apply the permissions so the delegates can manage the accounts?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22811952
Did you read the link that I referenced above? It describes several workarounds to allow delegated permissions to apply to protected accounts.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question