[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Delegation of user management to OU not working - Access Denied!

Posted on 2010-08-27
11
Medium Priority
?
2,199 Views
Last Modified: 2012-05-10
OK, I've read and tried everything to no avail.  All I'm trying to do is Delegate simple user admin tasks to an OU so that a small group of remote admins can manage the users within this OU.  Sounds simple, eh?  :)

No matter what I do, even If I delegate "Full Control", the users in the security group that I delegated rights to always end up getting the "User must change password at next logon" box checked under the users properties / Account tab.  Unchecking this and hitting ok/apply gives the following error > "The following Active Directory error occurred: Access Denied."  I've even created a new test OU, but got the same results so it's not related to the OU.  If I Login using my domain admin account, everything works fine so it's obviously permission related, but what do I need to do, pray to the Permissions God's and beg for forgiveness?  This should be so simple yet it's really frustrating... Any ideas?      

0
Comment
Question by:dkraut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 3

Assisted Solution

by:joerghermanns
joerghermanns earned 800 total points
ID: 33548699
Did you read this: http://technet.microsoft.com/en-us/library/cc960527.aspx
It should contain all your needed information,

When using Windows 2008 - and you need only some basic tasks:

1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

For more granular delegation:

1. In AD DS Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Select Create a Custom Task to Delegate, and click Next.
7. Under Delegate Control Of, choose Only the Following Objects in the Folder.
8. Check Users Objects and click Next.
9. Under Permissions, check Read and Write Phone and Mail Options and click Next.
10. Click Finish to confirm the modifications.

Hope that helps
0
 

Author Comment

by:dkraut
ID: 33549336
Yes, exactly what I did, but it does not work.  I can create/delete users but when I try to reset a password, it appears to take it, but really doesn't (password is never actually changed) and then I noticed that the "User must change password at next logon" box is checked and unchecking it and hitting OK gives me the access denied error.  During my google searches, I found others that have encountered this exact same situation, but no solutions other than verifying the permissions, which I've done.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33561280
When you ran through the delegation wizard, did you choose a common task or did you create a custom task to delegate?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:dkraut
ID: 33562946
Tried it both as common and custom task with the same result.  Regardless, shouldn't applying full control to the delegated group listed under the security tab after the fact give me rights to uncheck change password at next logon?  
0
 
LVL 33

Expert Comment

by:digitap
ID: 33563020
If you click the common task for Reset Password, you should see the screen shot I show below.  This would be for User Objects.
greenshot-2010-08-30-16-29-31.jpg
0
 
LVL 33

Accepted Solution

by:
digitap earned 1200 total points
ID: 33563032
Did you also check at the Parent OU or the top level OU to confirm there wasn't an explicit Deny for this particular function?
0
 

Author Comment

by:dkraut
ID: 33586882
Yeah, checked both and it still does not work.  The weird thing is if I select Effective Permissions and select the account I'm logged in, it shows that I have every possible permission for the user object, yet if I uncheck the "User must change password at next logon" and hit ok/apply, I get access denied.  Might have to open a call with MS for this one...
0
 
LVL 33

Expert Comment

by:digitap
ID: 33588259
OK...I just thought of something.  When you have an account that has been delegated to an OU, that account can not change certain settings (password related in your case) when the account has the same or higher security as itself.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33695908
Looking forward to hearing what MS has to say.  Thanks for the points!
0
 

Author Comment

by:dkraut
ID: 33721687
so I'm working with MS, but the case is being handled via email so it's slow but steady progress.  Not sure why this seemed to help, but the info below at least allows the user with delegated rights to reset passwords, but still pops up an access denied if they try to check/uncheck the "user must change password at next logon" box.  Also, since the users that are admins reside within this same OU, they seem to have some issues managing other admin accounts within the same OU.  This really shouldn't be so difficult?  Ultimately, I just want to allow a small group of admins "Full Control" over this OU.  They should be able to do whatever they want without error at this OU or lower.      
-----------------------------------
We have a KB article address Minimum permissions are needed for a delegated administrator to force password change at next logon procedure: http://support.microsoft.com/kb/296999.

--------------------------------------
Delegate the permissions to the specific group/user:

a.                   Click Start, click Run, type dsa.msc in the Open box, and then click OK.

b.                  Right-click the organizational unit to which you want to delegate permissions, and then click Delegate Control.

c.                   Click Next, and then click Add.

d.                  Click Help Desk, click Add, and then click OK.

e.                  Click Next, check Create a custom task to delegate, and then click Next.

f.                    Click Only the following objects in the folder, click to select the User objects check box, and then click Next.

g.                   Click to select the General and the Property-specific check boxes.

h.                  Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permission box.

i.                     Click Next, and then click Finish.

0
 

Author Comment

by:dkraut
ID: 33825942
As an update.  We learned that someone had altered the default permissions of Authenticated Users, which was the cause of all my trouble.  Once I gave Authenticated Users >

•"Enable per user reversible encryption"
•"Unexpire password"
•"Update password not required bit"
 
at the domain level, everything worked fine!
1

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question