RE: [ActiveDir] OU permissions for user object

Frank Abagnale Thu, 01 Sep 2005 23:36:05 -0700

Hi Guido,

Yes you are correct, this is what is happening. But I believe the reason that the inherit on existing objects is not checked is due to the adminsdholder. The user is question is a member of the builtin\server operators group, therefore when I set the user object to inherit the permissions, it resets itself to unchecked after roughly 15mins.

I now have a problem, my global group I which I have delegated permissions to on an OU must be a member of the Builtin\Server Operators group. If the inherit flag is reset after 10mins, how can I get this user object to be able to administer other users who are also members of the Builtin\Server Operators group?

If I had the choice, I wouldn't use the builtin groups, however this is managements call.

thanks

"Grillenmeier, Guido" <[EMAIL PROTECTED]> wrote:

sounds to me as if you've not set the permission to _inherit_ down to existing objects - check in the Advanced tab of the security editor (the tab that displays the permissions on your OU in ADUC) and see if your Full Control permission are set for User Objects (which will then automatically inherit down to user objects within this OU). If you've set the permission to all object, you'll explicitely have to set the scope of the permission to apply to "This object and all child objects" (or just to the child objects) - this will then inherit the permission to objects within the OU.

/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Donnerstag, 25. August 2005 10:46
To: Active
Subject: [ActiveDir] OU permissions for user object

Hi,

I've created an OU and I have delegated a security group the Create/Delete User Object with Full Permissions.

I have also delegated the 'Create, Delete & Manage User Account' right with F/C

I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership.

The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists.

If I create a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you have insufficient rights to perform this operation" or the details are greyed out.

Any idea's where I can check?

Iain

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Start your day with Yahoo! - make it your home page

RE: [ActiveDir] OU permissions for user object

Reply via email to