Solved

Active Directory (W2003SR2) Delegate Control issue

Posted on 2010-08-25
7
524 Views
Last Modified: 2013-12-04
I am trying to set up two reception users so that they can edit the Phone and Department fields within our Staff OU but it won't allow editing of existing user fields. At the last attempt I ran through the delegate control wizard and gave full access to the OU to each user (checked afterwards in the Security tab for the OU), but they still can't edit any of the fields within the user account (although they can happily delete/create users!). Am I missing something obvious?? Many thanks in advance!
0
Comment
Question by:PNickJames
  • 5
  • 2
7 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33519411
Did you do the following : - ?

In the Delegation of Control wizard, check the "Create a custom task to
delegate" option. After that, use the "Only the following objects in the
folder" option with "user objects" specified. On the next screen, you
can choose what attributes and permissions you want - make sure you use
Select the attributes you need and use:
http://www.frickelsoft.net/blog/?p=159 as a guide.

0
 

Author Comment

by:PNickJames
ID: 33522510
Thanks woolnoir,
that updated permissions on the OU fine, but when I look at the effective permissions of my users within the container they are unchanged. This appears to be because the majority of users have the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitily defined here"  option unticked, so the permissions aren't propagating properly. Furthermore there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU so I can't see away of sorting this out without editing individual users (there are several hundred). Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
Thanks again.
0
 

Author Comment

by:PNickJames
ID: 33529555
I increased the points as I may have underestimated the complexity of this question. Any answers to the previous thread would be much appreciated!
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33529652
How are you allowing them to edit the fields ? using AD users & computers ? an currently when they try they cant edit all fields, some fields or ?
0
 

Author Comment

by:PNickJames
ID: 33530024
Hi woolnoir,

They are using AD users & computers and they can't edit any at all, even when I run the Delegation Control Wizard and give them full control to the OU in question. I think the fact that permissions don't seem to be cascading properly is causing the issue. This is only a logical conclusion - I will corroborate it and come back to you with the results later on.

Thanks, Nick.
0
 

Author Comment

by:PNickJames
ID: 33577392
Hello everybods,

I have tested this now and if I goto the Security tab of each user in the OU, click Advanced and tick the "Inherit from parent the permission entries that apply to child objects..." box, my receptionists can alter the telephone number and department fields. But how can I easily tick that box for all the users in the OU (there are 500+) when there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU? Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
0
 

Accepted Solution

by:
PNickJames earned 0 total points
ID: 33670816
Hi all,

I created a batch file in the end and used one of the resource kit tools to update the user objects so they would inheret permissions again, syntax as follows:
dsacls \\LDAP-DC\CN="UserName",OU=OFFICE,DC=test,DC=local /P:N
I extracted the list of users using Softerra LDAP browser and manipulated them using Excel, then Word Find and Replace to create the batch file.
It was a joy to watch it processing!!

Many thanks for your help woolnoir.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question