Hi Ben,
the entire Dial-In Tab doesn't allow granular delegation - you need to delegate everything which is on the tab since it's writing back all attributes on the Tab no matter what. If you feel this is wrong open up a case with PSS and line up in the row of customers which want this changed. I've had a Critical Design Change Request with an Insurance Group about this, however it was not requested by other customers at this time and therefore not changed for a single customer. Some Infos I've wrote once about this issue: http://www.windowsserverfaq.de/faq/DialInTab.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: <blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: <blocked::http://msmvps.org/UlfBSimonWeidner> http://msmvps.org/UlfBSimonWeidner Website: <blocked::http://www.windowsserverfaq.org/> http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Donnerstag, 30. November 2006 18:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate VPN rights I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and "not set" when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson