Solved

Active Directory (W2003SR2) Delegate Control issue

Posted on 2010-08-25
7
527 Views
Last Modified: 2013-12-04
I am trying to set up two reception users so that they can edit the Phone and Department fields within our Staff OU but it won't allow editing of existing user fields. At the last attempt I ran through the delegate control wizard and gave full access to the OU to each user (checked afterwards in the Security tab for the OU), but they still can't edit any of the fields within the user account (although they can happily delete/create users!). Am I missing something obvious?? Many thanks in advance!
0
Comment
Question by:PNickJames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33519411
Did you do the following : - ?

In the Delegation of Control wizard, check the "Create a custom task to
delegate" option. After that, use the "Only the following objects in the
folder" option with "user objects" specified. On the next screen, you
can choose what attributes and permissions you want - make sure you use
Select the attributes you need and use:
http://www.frickelsoft.net/blog/?p=159 as a guide.

0
 

Author Comment

by:PNickJames
ID: 33522510
Thanks woolnoir,
that updated permissions on the OU fine, but when I look at the effective permissions of my users within the container they are unchanged. This appears to be because the majority of users have the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitily defined here"  option unticked, so the permissions aren't propagating properly. Furthermore there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU so I can't see away of sorting this out without editing individual users (there are several hundred). Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
Thanks again.
0
 

Author Comment

by:PNickJames
ID: 33529555
I increased the points as I may have underestimated the complexity of this question. Any answers to the previous thread would be much appreciated!
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33529652
How are you allowing them to edit the fields ? using AD users & computers ? an currently when they try they cant edit all fields, some fields or ?
0
 

Author Comment

by:PNickJames
ID: 33530024
Hi woolnoir,

They are using AD users & computers and they can't edit any at all, even when I run the Delegation Control Wizard and give them full control to the OU in question. I think the fact that permissions don't seem to be cascading properly is causing the issue. This is only a logical conclusion - I will corroborate it and come back to you with the results later on.

Thanks, Nick.
0
 

Author Comment

by:PNickJames
ID: 33577392
Hello everybods,

I have tested this now and if I goto the Security tab of each user in the OU, click Advanced and tick the "Inherit from parent the permission entries that apply to child objects..." box, my receptionists can alter the telephone number and department fields. But how can I easily tick that box for all the users in the OU (there are 500+) when there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU? Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
0
 

Accepted Solution

by:
PNickJames earned 0 total points
ID: 33670816
Hi all,

I created a batch file in the end and used one of the resource kit tools to update the user objects so they would inheret permissions again, syntax as follows:
dsacls \\LDAP-DC\CN="UserName",OU=OFFICE,DC=test,DC=local /P:N
I extracted the list of users using Softerra LDAP browser and manipulated them using Excel, then Word Find and Replace to create the batch file.
It was a joy to watch it processing!!

Many thanks for your help woolnoir.
0

Featured Post

Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question