Hmm, getting closer but not quite there yet! Thanks Tony and James for the excellent responses.
Both of your attempted solutions do grant the ability to modify what I want to modify in the GUI (ADUC) in the sense that they are no longer grayed out to members of the delegated security group, however, when a change is attempted I get a nice error message stating, "Dial-in profile changes were not saved because: Access is Denied.". When I try James's method, the entire dial-in tab is not grayed out, but I get the error message. When I try Tony's suggestion (grant read/write to msNPAllowDialin specifically), I am able to do a more granular delegation in which only the Remote Access Permission portion of the Dial-in tab is not grayed out (the rest is still grayed out), however this also results in the same error when a change is attempted. Any thoughts on what else I may need to grant permissions on so this can be properly delegated? The GUI seems to be a hurdle I've jumped over, but the actual implementation of the change doesn't want to take. Thanks guys, ~Ben -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, November 30, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate VPN rights You will need to modify dssec.dat to expose the property. http://www.activedir.org/article.aspx?aid=24#11 Tony ---------- Original Message ---------------------------------- From: "WATSON, BEN" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 30 Nov 2006 09:34:39 -0800 I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and "not set" when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
