Ulf: My original post must not have been clear enough. I HAVE delegated this on the adminSDHolder container and it does get applied to the protected accounts. Unfortunately, even though the security setting on the account then shows that the HELPDESK group has READ/WRITE ability on the lockoutTime attribute, that option is grayed out in ADUC for them.
Rick Bowersox Principle Software Systems Engineer Identity/Directory Services EBusiness Security Rockwell Collins 400 Collins Road, NE MS 120-120 Cedar Rapids, IA 52498-0001 319.295.5095 "If life was fair, Elvis would be alive and all the impersonators would be dead." _________________________________________ Johnny Carson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, April 19, 2006 4:33 PM To: [email protected] Subject: RE: [ActiveDir] Anomoly in application of Permissions by adminSDHolder Hi Richard, You can change the settings by delegating write access to lockoutTime on the adminSDHolder-Object in the system container. After doing that your helpdesk will be able to unlock any administrative account anywhere in the domain. For more information query my blog for adminSdHolder or use google, which will bring it up as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Richard Bowersox |Sent: Wednesday, April 19, 2006 10:09 PM |To: [email protected] |Subject: [ActiveDir] Anomoly in application of Permissions by |adminSDHolder | |I have noticed what appears to be an anomoly in the way that |adminSDHolder is applying object permissions and was wondering |if anybody else has seen something similar or has a workaround. | |We want our internal helpdesk staff to be able to unlock any |users account, even privliged accounts that are protected by |adminSDHolder 'inheritance'. |The HELPDESK group has been give Read/Write permissions on the |lockoutTime attribute for User Objects protected by |adminSDHolder. However, when members of HELPDESK go to unlock |a locked account of this type, the choice is grayed out. (The |same permissions given to the same group for accounts not |protected by adminSDHolder allow the HELPDESK to unlock those |accounts without any problem.) | |When I look at the permissions applied to the specific user |object it shows that the HELPDESK group has Read/Write on the |lockoutTime attribute as expected. The only way that members |of the HELPDESK group can gain access to the account lockout |box is to set the security on a specific account for the |lockoutTime READ/WRITE permission to apply to 'This Object' |rather than the "User Objects' choice. | |Unfortunately, when setting the security on the adminSDHolder |container, I cannot use the "This object and all child |objects" choice because when that is selected, the lockoutTime |attribute is not an available option. | | | |Rick Bowersox |Rockwell Collins | |"If you cannot convince them, confuse them." |------------------------------------------ |Harry S Truman | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
