Even if MS agrees to fix it, which can take quite a while to get that agreement. It could be yet another while to get the buddy drop and if your customer isn't willing to install the buddy in production (perfectly understandable) they get to wait even longer for the official QFE.
And what's this about the help desk TS'ing into a server to do admin work (smack of my palm to my forehead...). joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 09, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: Re: RE: [ActiveDir] Delegation of Callback-Number Yes - it's a confirmed bug in the interface. When opening the page it checks the allowedattributeseffective and enables the box, when clicking OK it want's to write unchanged stuff which was not delegated and therefore receives an access denied from AD. It's definitelly a problem of the tab and not of layer 8. However, programmatically changing is not OK for this customer since administration is delegated and ADUC is available on the Terminal Server. Would be a work around what we might take if absolutely necessary, but as far as I understood the escalation engineer at PSS they are willing to fix this issue if there's a need for it - so I'm searching for other companies who want to have the callbacknumber set by the helpdesk but the other RAS-Properties by another department (it violates the companies policies if the general helpdesk would be able to assign the permissions to dial in). Ulf joe <[EMAIL PROTECTED]> schrieb am 09.07.2004, 04:19:29: > Hey Ulf - can you just script it? > > joe > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. > Simon-Weidner > Sent: Wednesday, July 07, 2004 6:32 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Delegation of Callback-Number > > > > Hi there, > > I have a customer who where we implemented the least permissions > necessary for each group fulfilling administrative tasks. One of those > tasks is that they are required that just a small group has the > permissions to grant RAS permissions, and every useraccount is forced > to be called back to a previously set number. To scale that solution > better, the user-helpdesk should be able to change the > callback-number, but they are not allowed to do anything else in the RAS-Permissions. > > Those are the requirements. Point. > > Couple month ago I discovered some bugs in the ADUC Dial-In Tab. After > installing a hotfix that allows non-administrator accounts to see the > dialin-tab and figuring out that I need to set the permissions for the > helpdesk for the msRadiusCallbackNumber and the userProperties > attributes I figured that there's an additional bug in the tab: the > helpdesk is now able to change the Callback-Number in the interface, > however as soon as they click on Apply or OK there's an error that the > rights are not sufficient. > > This is a bug, which is verified by Microsoft. > > The only way to delegate the permissions on the RAS Tab - due to the > bug - is to grant the group full permissions on everything of the > RAS-Tab. This is not acceptable in our case. > > Now comes why I'm posting: > > We have a open call at PSS, already did a CDCR and political impact, > but MS told us that they think it's not a option requested by > customers and they need at least another customer with that > requirement to fix that. I do not believe that we are the only ones > with that request - however I do believe that those out there who had > a request like that stopped early in the process instead of going the way through. > > So if anyone of you knows a company which has those requirements and > would like to have that fixed, contact me asap to see if we are able > to get that fixed. As far as I was told from PSS they'd like to get > that fixed too but are unable to assign developer-resources for it if > it's not requested by the market. > > This issue bugs me since the beginning of the year :-( > > > > Gruesse - Sincerely, > > > > Ulf B. Simon-Weidner -- Gr�sse - Sincerely, Ulf B. Simon-Weidner List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
