Hmmm, is there the possibility that permissions are granted before even
clicking Finish in the delegation wizard? The reason I ask is because I
created a test user, started clicking on perms in the delegation wizard just
to see what happened (without clicking on the Finish buttion), then clicked
the back button, cancelled, and started the wizard again. When I started the
wizard again, I instead put a group which I then made that same user a
member of, then delegated them just the RW on useraccountcontrol. After I
found out that I was able to delete a mailbox in that OU, I thought I had
better check the effective permissions. The user had all kinds of
permissions. I then added another new user to the group that had been
delegated rights and that user only had the specific rights that it should


Does this sound bogus?




From: Douglas M. Long [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 06, 2005 10:09 AM
To: ''
Subject: RE: [ActiveDir] Delegate disable/enable user accounts


Man, read/write to  useraccountcontrol seems to enable  a user to delete a
mailbox too.



[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 06, 2005 8:44 AM
Subject: RE: [ActiveDir] Delegate disable/enable user accounts


read/write permission on the useraccountcontrol attribute of the user



the disabled/enabled status of a user object is represented by a bit/flag in
the useraccountcontrol attribute and that same attribute consists of more
bits/flags. So if you delegate read/write permission on the
useraccountcontrol, you delegate control on all of the bits/flags
represented in that useraccountcontrol attribute. It may not be what you






Van: [EMAIL PROTECTED] namens Douglas M. Long
Verzonden: di 6-12-2005 14:19
Onderwerp: [ActiveDir] Delegate disable/enable user accounts

Does anyone know off the top of their head the permissions required for
delegation of disabling and enabling user accounts, or have a link? Google
is failing me...or rather me failing google 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

<<attachment: winmail.dat>>

Reply via email to