?
Solved

AD delegation

Posted on 2008-10-23
4
Medium Priority
?
234 Views
Last Modified: 2012-05-05
I have been asked to look into delegating access to certain sections of AD in order to allow priviledges users to update information on a per user basis (General, address, telelphone and organisation tabs)

I have started off by giving my test user a custom task "this fodler, exisintg objects, and creation of new objects in the folder" I intend to change this longer term, but just wanted to try it out for testing.

so the user has access to each user properties page and I can amend details as iw ould expect, but on other users with the same OU all the tabs are greyed out, the users all appear to be identical and I believe they were all created at the same time (recent migration) Can anyoen tell me why the properties page for some users is all greyed out and how I can reolve this please?

Windows 2003 64bit SP (AD server) opening the console on a Citrix PS4.5 client session.  If you need further info let me know.
0
Comment
Question by:cntboys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22788172
r u sure the delegation permission is inherited to all the sub ou's and objects ?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1500 total points
ID: 22792189
If the greyed-out users are, or have ever been, members of any protected group such as Account Operators, Administrators, or Domain Admins, then this behavior is by design. See the following for more information: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
0
 

Author Comment

by:cntboys
ID: 22811605
Thanks for the replies, Iw as out fo the office rfiday so didnt get chance to look at this.

It is possible (although unlikely) that these users were ever admins, if this was the case thoguh, would I be able to re-apply the permissions so the delegates can manage the accounts?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22811952
Did you read the link that I referenced above? It describes several workarounds to allow delegated permissions to apply to protected accounts.
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question