Solved

AD delegation

Posted on 2008-10-23
4
226 Views
Last Modified: 2012-05-05
I have been asked to look into delegating access to certain sections of AD in order to allow priviledges users to update information on a per user basis (General, address, telelphone and organisation tabs)

I have started off by giving my test user a custom task "this fodler, exisintg objects, and creation of new objects in the folder" I intend to change this longer term, but just wanted to try it out for testing.

so the user has access to each user properties page and I can amend details as iw ould expect, but on other users with the same OU all the tabs are greyed out, the users all appear to be identical and I believe they were all created at the same time (recent migration) Can anyoen tell me why the properties page for some users is all greyed out and how I can reolve this please?

Windows 2003 64bit SP (AD server) opening the console on a Citrix PS4.5 client session.  If you need further info let me know.
0
Comment
Question by:cntboys
  • 2
4 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22788172
r u sure the delegation permission is inherited to all the sub ou's and objects ?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 22792189
If the greyed-out users are, or have ever been, members of any protected group such as Account Operators, Administrators, or Domain Admins, then this behavior is by design. See the following for more information: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 

Author Comment

by:cntboys
ID: 22811605
Thanks for the replies, Iw as out fo the office rfiday so didnt get chance to look at this.

It is possible (although unlikely) that these users were ever admins, if this was the case thoguh, would I be able to re-apply the permissions so the delegates can manage the accounts?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22811952
Did you read the link that I referenced above? It describes several workarounds to allow delegated permissions to apply to protected accounts.
0

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now