Solved

Active Directory (W2003SR2) Delegate Control issue

Posted on 2010-08-25
7
520 Views
Last Modified: 2013-12-04
I am trying to set up two reception users so that they can edit the Phone and Department fields within our Staff OU but it won't allow editing of existing user fields. At the last attempt I ran through the delegate control wizard and gave full access to the OU to each user (checked afterwards in the Security tab for the OU), but they still can't edit any of the fields within the user account (although they can happily delete/create users!). Am I missing something obvious?? Many thanks in advance!
0
Comment
Question by:PNickJames
  • 5
  • 2
7 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33519411
Did you do the following : - ?

In the Delegation of Control wizard, check the "Create a custom task to
delegate" option. After that, use the "Only the following objects in the
folder" option with "user objects" specified. On the next screen, you
can choose what attributes and permissions you want - make sure you use
Select the attributes you need and use:
http://www.frickelsoft.net/blog/?p=159 as a guide.

0
 

Author Comment

by:PNickJames
ID: 33522510
Thanks woolnoir,
that updated permissions on the OU fine, but when I look at the effective permissions of my users within the container they are unchanged. This appears to be because the majority of users have the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitily defined here"  option unticked, so the permissions aren't propagating properly. Furthermore there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU so I can't see away of sorting this out without editing individual users (there are several hundred). Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
Thanks again.
0
 

Author Comment

by:PNickJames
ID: 33529555
I increased the points as I may have underestimated the complexity of this question. Any answers to the previous thread would be much appreciated!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 20

Expert Comment

by:woolnoir
ID: 33529652
How are you allowing them to edit the fields ? using AD users & computers ? an currently when they try they cant edit all fields, some fields or ?
0
 

Author Comment

by:PNickJames
ID: 33530024
Hi woolnoir,

They are using AD users & computers and they can't edit any at all, even when I run the Delegation Control Wizard and give them full control to the OU in question. I think the fact that permissions don't seem to be cascading properly is causing the issue. This is only a logical conclusion - I will corroborate it and come back to you with the results later on.

Thanks, Nick.
0
 

Author Comment

by:PNickJames
ID: 33577392
Hello everybods,

I have tested this now and if I goto the Security tab of each user in the OU, click Advanced and tick the "Inherit from parent the permission entries that apply to child objects..." box, my receptionists can alter the telephone number and department fields. But how can I easily tick that box for all the users in the OU (there are 500+) when there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU? Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
0
 

Accepted Solution

by:
PNickJames earned 0 total points
ID: 33670816
Hi all,

I created a batch file in the end and used one of the resource kit tools to update the user objects so they would inheret permissions again, syntax as follows:
dsacls \\LDAP-DC\CN="UserName",OU=OFFICE,DC=test,DC=local /P:N
I extracted the list of users using Softerra LDAP browser and manipulated them using Excel, then Word Find and Replace to create the batch file.
It was a joy to watch it processing!!

Many thanks for your help woolnoir.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now