More details-
I've just verified that I've not be able
to change the RAS-Callback Number when
the userobject has the callback-number set. The UI displays the callback number
as editable, but when changing and pressing apply I receive an error
(translated from german) "The changes on the dialin profile weren't saved,
Access Denied".
I've verified if I change the RAS
Callbacknumber as Administrator the following
changes are made in Active Directory:
The values of the following attributes of the User-Object are changed:
whenChanged
uSNChanged
userParameters
msRADIUSCallbackNumber
The following attributes are replicated:
userParameters
msRADIUSCallbackNumber
The following rights in the
NT-Securitydescriptor in the user-object are
changed:
none
Then I delegated a useraccount the rights
to write the following attributes of
user-objects underneath a certain OU:
userParameters
msRADIUSCallbackNumber
To be able to change the RAS
Callbacknumber on a memberserver I applied the
hotfix with the ID 822542 from PSS, see the thread "Issue with delegated
Rights
and Dial-in Tab in WS2k3" in this newsgroup.
To confirm the rights I performed the
following LDAP-Query
(&(objectClass=Person)(objectCategory=user)(samaccountname=any-user-with-
dialin))
Base: domainroot
Scope: Subtree
Attributes: distinguishedname, allowedAttributesEffective
Result:
>> Dn: CN=rasuser,ou=myou,dc=mydomain,dc=tld
1> distinguishedName:
CN=rasuser,ou=myou,dc=mydomain,dc=tld;
5> allowedAttributesEffective:
pwdLastSet; userParameters; lockoutTime;
msRADIUSCallbackNumber; msRASSavedCallbackNumber;
Then I experimented with additional
rights, and figured out if the following
rights are set (which are more rights than my customer is willing to give for
that group) it is still not working:
allowedAttributesEffective: pwdLastSet; userParameters; lockoutTime;
msNPAllowDialin; msNPCallingStationID; msRADIUSCallbackNumber;
msRADIUSFramedIPAddress; msRADIUSFramedRoute; msRADIUSServiceType;
msRASSavedCallbackNumber;
Next test, if I revoke the rights just set
and set the Write UserAccountControl
everything is working, but those are again more rights than I or the customer
is willing to give:
allowedAttributesEffective: userAccountControl; pwdLastSet; userParameters;
accountExpires; lockoutTime; msRADIUSCallbackNumber; msRASSavedCallbackNumber;
Can anyone explain me what minimum rights I have to set to enable this group to
just _change_ the RasCallbacknumber but not to have more rights on the
userobject or RAS-Tab???
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mark Caldwell
Sent: Thursday, April 01, 2004
7:13 AM
To: [EMAIL PROTECTED];
Ulf B. Simon-Weidner
Subject: [ActiveDir]
msRADIUSCallbackNumber
Hey gang-
Ulg (MS MVP) posed a question to me that I did not have an
immediate answer for so I thought I would toss it out to the group for some
additional insight-
Hi there,
I just recognized that if I change the msRADIUSCallbackNumber
in ADUC, the
Attribute userParameters is changed as well. Is that
intended ? Why is it
necessary, what does it there?
Gruesse - Sincerely,
Ulf B. Simon-Weidner
![]()
Mark Caldwell
Community MVP Lead
Windows Server Systems
Microsoft Co.
( Phone (425) 704-5515
* [EMAIL PROTECTED]
* [EMAIL PROTECTED] [IM Only]
GET SECURE NOW!!
http://www.microsoft.com/security
