Hmm, getting closer but not quite there yet!  Thanks Tony and James for
the excellent responses.

Both of your attempted solutions do grant the ability to modify what I
want to modify in the GUI (ADUC) in the sense that they are no longer
grayed out to members of the delegated security group, however, when a
change is attempted I get a nice error message stating, "Dial-in profile
changes were not saved because: Access is Denied.".

When I try James's method, the entire dial-in tab is not grayed out, but
I get the error message.  When I try Tony's suggestion (grant read/write
to msNPAllowDialin specifically), I am able to do a more granular
delegation in which only the Remote Access Permission portion of the
Dial-in tab is not grayed out (the rest is still grayed out), however
this also results in the same error when a change is attempted.

Any thoughts on what else I may need to grant permissions on so this can
be properly delegated?  The GUI seems to be a hurdle I've jumped over,
but the actual implementation of the change doesn't want to take.

Thanks guys,
~Ben

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, November 30, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate VPN rights

You will need to modify dssec.dat to expose the property.

http://www.activedir.org/article.aspx?aid=24#11

Tony
---------- Original Message ----------------------------------
From: "WATSON, BEN" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 30 Nov 2006 09:34:39 -0800

I'm attempting to delegate out the permissions to adjust the Remote
Access Permissions under the Dial-In tab in Active Directory for user
accounts.  When performing an LDAP query, I notice that changes to this
setting are recorded in the msNPAllowDialin attribute.  Set to False
when Deny Access is set, True when Allow Access is set, and "not set"
when Control Access through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson



 




________________________________________________________________
Sent via the WebMail system at mail.activedir.org


 
                   
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Reply via email to