• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

Active Directory (W2003SR2) Delegate Control issue

I am trying to set up two reception users so that they can edit the Phone and Department fields within our Staff OU but it won't allow editing of existing user fields. At the last attempt I ran through the delegate control wizard and gave full access to the OU to each user (checked afterwards in the Security tab for the OU), but they still can't edit any of the fields within the user account (although they can happily delete/create users!). Am I missing something obvious?? Many thanks in advance!
0
PNickJames
Asked:
PNickJames
  • 5
  • 2
1 Solution
 
woolnoirCommented:
Did you do the following : - ?

In the Delegation of Control wizard, check the "Create a custom task to
delegate" option. After that, use the "Only the following objects in the
folder" option with "user objects" specified. On the next screen, you
can choose what attributes and permissions you want - make sure you use
Select the attributes you need and use:
http://www.frickelsoft.net/blog/?p=159 as a guide.

0
 
PNickJamesAuthor Commented:
Thanks woolnoir,
that updated permissions on the OU fine, but when I look at the effective permissions of my users within the container they are unchanged. This appears to be because the majority of users have the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitily defined here"  option unticked, so the permissions aren't propagating properly. Furthermore there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU so I can't see away of sorting this out without editing individual users (there are several hundred). Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
Thanks again.
0
 
PNickJamesAuthor Commented:
I increased the points as I may have underestimated the complexity of this question. Any answers to the previous thread would be much appreciated!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
woolnoirCommented:
How are you allowing them to edit the fields ? using AD users & computers ? an currently when they try they cant edit all fields, some fields or ?
0
 
PNickJamesAuthor Commented:
Hi woolnoir,

They are using AD users & computers and they can't edit any at all, even when I run the Delegation Control Wizard and give them full control to the OU in question. I think the fact that permissions don't seem to be cascading properly is causing the issue. This is only a logical conclusion - I will corroborate it and come back to you with the results later on.

Thanks, Nick.
0
 
PNickJamesAuthor Commented:
Hello everybods,

I have tested this now and if I goto the Security tab of each user in the OU, click Advanced and tick the "Inherit from parent the permission entries that apply to child objects..." box, my receptionists can alter the telephone number and department fields. But how can I easily tick that box for all the users in the OU (there are 500+) when there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU? Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
0
 
PNickJamesAuthor Commented:
Hi all,

I created a batch file in the end and used one of the resource kit tools to update the user objects so they would inheret permissions again, syntax as follows:
dsacls \\LDAP-DC\CN="UserName",OU=OFFICE,DC=test,DC=local /P:N
I extracted the list of users using Softerra LDAP browser and manipulated them using Excel, then Word Find and Replace to create the batch file.
It was a joy to watch it processing!!

Many thanks for your help woolnoir.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now