RE: [ActiveDir] Delegate disable/enable user accounts
read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
Re: [ActiveDir] Delegate disable/enable user accounts
WP on the user object's userAccountControl attribute.
RE: [ActiveDir] Delegate disable/enable user accounts
... which is exactly why 3rd party vendors offer proxied
user account admin tools, which can help to address this
'issue'.
[I am not suggesting that the proxied approach is 'better'
but simply that it may meet the poster's requirements.]
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: 06 December 2005 13:44To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate
disable/enable user accounts
read/write permission on the
useraccountcontrol attribute of the user object.
HOWEVER...
the disabled/enabled status of a user
object is represented by a bit/flag in the useraccountcontrol attribute and that
same attribute consists of more bits/flags. So if you delegate read/write
permission on the useraccountcontrol, you delegate control on all of the
bits/flags represented in that useraccountcontrol attribute. It may not be what
you want
Cheers,
Jorge
Van:
[EMAIL PROTECTED] namens Douglas M. LongVerzonden:
di 6-12-2005 14:19Aan:
ActiveDir@mail.activedir.orgOnderwerp: [ActiveDir] Delegate
disable/enable user accounts
Does anyone know off
the top of their head the permissions required for delegation of disabling and
enabling user accounts, or have a link? Google is failing meor rather me
failing google PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Delegate disable/enable user accounts
WP? Write permissions? Is that all the group would need? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 06, 2005 8:48 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate disable/enable user accounts WP on the user object's userAccountControl attribute.
RE: [ActiveDir] Delegate disable/enable user accounts
Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
No, useraccountcontrol mainly holds the fields you see in the checkboxes of the account tab, such as logon with smardcard, must not change password a.s.o. You can not delegate deletion of mailboxes in AD only, you also need to give rights in the exchange store as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, December 06, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
Hmmm, is there the possibility that permissions are granted before even clicking Finish in the delegation wizard? The reason I ask is because I created a test user, started clicking on perms in the delegation wizard just to see what happened (without clicking on the Finish buttion), then clicked the back button, cancelled, and started the wizard again. When I started the wizard again, I instead put a group which I then made that same user a member of, then delegated them just the RW on useraccountcontrol. After I found out that I was able to delete a mailbox in that OU, I thought I had better check the effective permissions. The user had all kinds of permissions. I then added another new user to the group that had been delegated rights and that user only had the specific rights that it should have. Does this sound bogus? _ From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 10:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 06, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge _ Van: [EMAIL PROTECTED] namens Douglas M. Long Verzonden: di 6-12-2005 14:19 Aan: ActiveDir@mail.activedir.org Onderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing me...or rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] Delegate disable/enable user accounts
I agree that you can't delete mailboxes with WP to userAccountControl. However you don't need store access to delete mailboxes, or more accurately to disconnect them. You do need store access (admin rights on the Exchange server) to purge a mailbox. To delegate deletion of mailboxes you simply delegate WP to the list of all Exchange attributes that can be applied to a user object. While the GUI/CDOEXM may give you crap about it a simple LDAP write will work (which is what ExchMbx uses for the -clear option). You also don't need store or Exchange Admin (any level rights) to create a mailbox, having access to about 2 attributes in AD is all that is required. But again, GUI/CDOEXM will complain. The next version of ExchMbx should have that functionality implemented to work with only those two attributes being delegated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Tuesday, December 06, 2005 10:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts No, useraccountcontrol mainly holds the fields you see in the checkboxes of the account tab, such as logon with smardcard, must not change password a.s.o. You can not delegate deletion of mailboxes in AD only, you also need to give rights in the exchange store as well. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, December 06, 2005 4:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts Man, read/write to useraccountcontrol seems to enable a user to delete a mailbox too. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, December 06, 2005 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts read/write permission on the useraccountcontrol attribute of the user object. HOWEVER... the disabled/enabled status of a user object is represented by a bit/flag in the useraccountcontrol attribute and that same attribute consists of more bits/flags. So if you delegate read/write permission on the useraccountcontrol, you delegate control on all of the bits/flags represented in that useraccountcontrol attribute. It may not be what you want Cheers, Jorge Van: [EMAIL PROTECTED] namens Douglas M. LongVerzonden: di 6-12-2005 14:19Aan: ActiveDir@mail.activedir.orgOnderwerp: [ActiveDir] Delegate disable/enable user accounts Does anyone know off the top of their head the permissions required for delegation of disabling and enabling user accounts, or have a link? Google is failing meor rather me failing google This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Delegate disable/enable user accounts
Yep WP on userAccountControl. But again, the caveats others have mentioned, it gives the person ability to modify quite a bit on an account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, December 06, 2005 9:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegate disable/enable user accounts WP? Write permissions? Is that all the group would need? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, December 06, 2005 8:48 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Delegate disable/enable user accounts WP on the user object's userAccountControl attribute.
