Solved

Delegation of user management to OU not working - Access Denied!

Posted on 2010-08-27
11
1,897 Views
Last Modified: 2012-05-10
OK, I've read and tried everything to no avail.  All I'm trying to do is Delegate simple user admin tasks to an OU so that a small group of remote admins can manage the users within this OU.  Sounds simple, eh?  :)

No matter what I do, even If I delegate "Full Control", the users in the security group that I delegated rights to always end up getting the "User must change password at next logon" box checked under the users properties / Account tab.  Unchecking this and hitting ok/apply gives the following error > "The following Active Directory error occurred: Access Denied."  I've even created a new test OU, but got the same results so it's not related to the OU.  If I Login using my domain admin account, everything works fine so it's obviously permission related, but what do I need to do, pray to the Permissions God's and beg for forgiveness?  This should be so simple yet it's really frustrating... Any ideas?      

0
Comment
Question by:dkraut
  • 5
  • 5
11 Comments
 
LVL 3

Assisted Solution

by:joerghermanns
joerghermanns earned 200 total points
Comment Utility
Did you read this: http://technet.microsoft.com/en-us/library/cc960527.aspx
It should contain all your needed information,

When using Windows 2008 - and you need only some basic tasks:

1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

For more granular delegation:

1. In AD DS Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Select Create a Custom Task to Delegate, and click Next.
7. Under Delegate Control Of, choose Only the Following Objects in the Folder.
8. Check Users Objects and click Next.
9. Under Permissions, check Read and Write Phone and Mail Options and click Next.
10. Click Finish to confirm the modifications.

Hope that helps
0
 

Author Comment

by:dkraut
Comment Utility
Yes, exactly what I did, but it does not work.  I can create/delete users but when I try to reset a password, it appears to take it, but really doesn't (password is never actually changed) and then I noticed that the "User must change password at next logon" box is checked and unchecking it and hitting OK gives me the access denied error.  During my google searches, I found others that have encountered this exact same situation, but no solutions other than verifying the permissions, which I've done.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
When you ran through the delegation wizard, did you choose a common task or did you create a custom task to delegate?
0
 

Author Comment

by:dkraut
Comment Utility
Tried it both as common and custom task with the same result.  Regardless, shouldn't applying full control to the delegated group listed under the security tab after the fact give me rights to uncheck change password at next logon?  
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
If you click the common task for Reset Password, you should see the screen shot I show below.  This would be for User Objects.
greenshot-2010-08-30-16-29-31.jpg
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 33

Accepted Solution

by:
digitap earned 300 total points
Comment Utility
Did you also check at the Parent OU or the top level OU to confirm there wasn't an explicit Deny for this particular function?
0
 

Author Comment

by:dkraut
Comment Utility
Yeah, checked both and it still does not work.  The weird thing is if I select Effective Permissions and select the account I'm logged in, it shows that I have every possible permission for the user object, yet if I uncheck the "User must change password at next logon" and hit ok/apply, I get access denied.  Might have to open a call with MS for this one...
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...I just thought of something.  When you have an account that has been delegated to an OU, that account can not change certain settings (password related in your case) when the account has the same or higher security as itself.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Looking forward to hearing what MS has to say.  Thanks for the points!
0
 

Author Comment

by:dkraut
Comment Utility
so I'm working with MS, but the case is being handled via email so it's slow but steady progress.  Not sure why this seemed to help, but the info below at least allows the user with delegated rights to reset passwords, but still pops up an access denied if they try to check/uncheck the "user must change password at next logon" box.  Also, since the users that are admins reside within this same OU, they seem to have some issues managing other admin accounts within the same OU.  This really shouldn't be so difficult?  Ultimately, I just want to allow a small group of admins "Full Control" over this OU.  They should be able to do whatever they want without error at this OU or lower.      
-----------------------------------
We have a KB article address Minimum permissions are needed for a delegated administrator to force password change at next logon procedure: http://support.microsoft.com/kb/296999.

--------------------------------------
Delegate the permissions to the specific group/user:

a.                   Click Start, click Run, type dsa.msc in the Open box, and then click OK.

b.                  Right-click the organizational unit to which you want to delegate permissions, and then click Delegate Control.

c.                   Click Next, and then click Add.

d.                  Click Help Desk, click Add, and then click OK.

e.                  Click Next, check Create a custom task to delegate, and then click Next.

f.                    Click Only the following objects in the folder, click to select the User objects check box, and then click Next.

g.                   Click to select the General and the Property-specific check boxes.

h.                  Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permission box.

i.                     Click Next, and then click Finish.

0
 

Author Comment

by:dkraut
Comment Utility
As an update.  We learned that someone had altered the default permissions of Authenticated Users, which was the cause of all my trouble.  Once I gave Authenticated Users >

•"Enable per user reversible encryption"
•"Unexpire password"
•"Update password not required bit"
 
at the domain level, everything worked fine!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now