Announcement

Collapse
No announcement yet.

Delegating Control

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegating Control

    My goal is to allow managers to reset the passwords of the people who work under them (only those people in the same department) but I have a couple of issues.

    Managers and their reps are in the same OU so I created a custom MMC that shows only the OU that each manager can control. I right-clicked on the OU and selected Delegate Control. I created a custom task and allowed them to only change user objects. Then I gave them the change password and reset password permissions.

    When I go have one of the managers look at the rep's user object, they can change the password but they can also change the group membership. That's not okay. How do I prevent that?

    Also, I wanted to add someone to the list of people who can make these changes so I right-clicked on the OU again and clicked Delegate Control again. The problem is that the other user isn't listed (though I see a Remove button, I don't see anyone to remove. How do I "un-delegate control?"

    Thanks.

  • #2
    Re: Delegating Control

    Plenty of views, no thoughts?

    Comment


    • #3
      Re: Delegating Control

      Be patient - you've only waited a day. Nobody is paid to be here, everybody volunteers what time they have to help people. If someone has an opinion, they will post it.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Delegating Control

        I don't see any rule that says I can't throw my hand up again. You know, bump the thread. Thanks for your obvious response though.

        Comment


        • #5
          Re: Delegating Control

          Hey I just did a lab for you and for me it works perfectly fine

          Here what i did

          Created OU 1
          user: M1
          User: M2

          Group: G1 (universal/security)
          Group: G2 (universal/security)

          made M1 and M2 member of G2

          Delegated Test1 Only this permission
          Reset user Password and force pwd change at next logon

          Logged on the member server with Test1 user

          Tried to change the pass. Worked fine
          Tried to change the group membership thru G2: Add remove option greyed out

          From user: Check the screenshot

          I think you might not be doing the way it suppose to be done
          Attached Files
          Thanks & Regards
          v-2nas

          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
          Sr. Wintel Eng. (Investment Bank)
          Independent IT Consultant and Architect
          Blog: http://www.exchadtech.blogspot.com

          Show your appreciation for my help by giving reputation points

          Comment


          • #6
            Re: Delegating Control

            Originally posted by mhashemi View Post
            My goal is to allow managers to reset the passwords of the people who work under them (only those people in the same department) but I have a couple of issues.

            Managers and their reps are in the same OU so I created a custom MMC that shows only the OU that each manager can control. I right-clicked on the OU and selected Delegate Control. I created a custom task and allowed them to only change user objects. Then I gave them the change password and reset password permissions.

            When I go have one of the managers look at the rep's user object, they can change the password but they can also change the group membership. That's not okay. How do I prevent that?

            Also, I wanted to add someone to the list of people who can make these changes so I right-clicked on the OU again and clicked Delegate Control again. The problem is that the other user isn't listed (though I see a Remove button, I don't see anyone to remove. How do I "un-delegate control?"

            Thanks.

            Theres no wizard to un-delegate you have to turn on Advanced view and manually edit the ACEs under the Security tab of the object.

            Comment


            • #7
              Re: Delegating Control

              I was delegating control differently. I had been doing the following:
              1. Right click on OU
              2. Select Delegate Control
              3. Click Next
              4. Click Add
              5. Add user
              6. Click Next
              7. Click Create a custom task to delegate
              8. Click Only the following objects in the folder
              9. Add a check next to User objects
              10. Click Next
              11. Add a check next to Change Password and Reset Password
              12. Click Next
              13. Click Finish


              No I've tried it your way and delegated the common tasks: Reset user passwords and force password change at next logon.

              However, that didn't help, my users can still add and remove group membership. I looked at the security rights for that OU and denied permission to read or write group membership and found that the test user couldn't see the list of groups another user was a member of, but could add to that list.

              What is wrong with our domain?

              Comment


              • #8
                Re: Delegating Control

                Darn, it was me

                I wasn't hitting OK or Apply. ADUC let's you add the group to the list, but doesn't let you apply that change.

                Working well, thanks.

                Comment


                • #9
                  Re: Delegating Control

                  Great My Friend.
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment

                  Working...
                  X