?
Solved

Active Directory (W2003SR2) Delegate Control issue

Posted on 2010-08-25
7
Medium Priority
?
529 Views
Last Modified: 2013-12-04
I am trying to set up two reception users so that they can edit the Phone and Department fields within our Staff OU but it won't allow editing of existing user fields. At the last attempt I ran through the delegate control wizard and gave full access to the OU to each user (checked afterwards in the Security tab for the OU), but they still can't edit any of the fields within the user account (although they can happily delete/create users!). Am I missing something obvious?? Many thanks in advance!
0
Comment
Question by:PNickJames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33519411
Did you do the following : - ?

In the Delegation of Control wizard, check the "Create a custom task to
delegate" option. After that, use the "Only the following objects in the
folder" option with "user objects" specified. On the next screen, you
can choose what attributes and permissions you want - make sure you use
Select the attributes you need and use:
http://www.frickelsoft.net/blog/?p=159 as a guide.

0
 

Author Comment

by:PNickJames
ID: 33522510
Thanks woolnoir,
that updated permissions on the OU fine, but when I look at the effective permissions of my users within the container they are unchanged. This appears to be because the majority of users have the "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitily defined here"  option unticked, so the permissions aren't propagating properly. Furthermore there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU so I can't see away of sorting this out without editing individual users (there are several hundred). Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
Thanks again.
0
 

Author Comment

by:PNickJames
ID: 33529555
I increased the points as I may have underestimated the complexity of this question. Any answers to the previous thread would be much appreciated!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33529652
How are you allowing them to edit the fields ? using AD users & computers ? an currently when they try they cant edit all fields, some fields or ?
0
 

Author Comment

by:PNickJames
ID: 33530024
Hi woolnoir,

They are using AD users & computers and they can't edit any at all, even when I run the Delegation Control Wizard and give them full control to the OU in question. I think the fact that permissions don't seem to be cascading properly is causing the issue. This is only a logical conclusion - I will corroborate it and come back to you with the results later on.

Thanks, Nick.
0
 

Author Comment

by:PNickJames
ID: 33577392
Hello everybods,

I have tested this now and if I goto the Security tab of each user in the OU, click Advanced and tick the "Inherit from parent the permission entries that apply to child objects..." box, my receptionists can alter the telephone number and department fields. But how can I easily tick that box for all the users in the OU (there are 500+) when there is no "Replace permission entries on all child objects with entries shown here that apply to child objects" in the Security Tab of the parent OU? Is there a command line utility I could use, or any example VB Scripts that I could use to rectify this? Or any other pertinent advice?!
0
 

Accepted Solution

by:
PNickJames earned 0 total points
ID: 33670816
Hi all,

I created a batch file in the end and used one of the resource kit tools to update the user objects so they would inheret permissions again, syntax as follows:
dsacls \\LDAP-DC\CN="UserName",OU=OFFICE,DC=test,DC=local /P:N
I extracted the list of users using Softerra LDAP browser and manipulated them using Excel, then Word Find and Replace to create the batch file.
It was a joy to watch it processing!!

Many thanks for your help woolnoir.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question