Hmmm, is there the possibility that permissions are granted before even clicking Finish in the delegation wizard? The reason I ask is because I created a test user, started clicking on perms in the delegation wizard just to see what happened (without clicking on the Finish buttion), then clicked the back button, cancelled, and started the wizard again. When I started the wizard again, I instead put a group which I then made that same user a member of, then delegated them just the RW on useraccountcontrol. After I found out that I was able to delete a mailbox in that OU, I thought I had better check the effective permissions. The user had all kinds of permissions. I then added another new user to the group that had been delegated rights and that user only had the specific rights that it should have.
Does this sound bogus? _____ From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 10:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _____ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.