Announcement

Collapse
No announcement yet.

Delegate control

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegate control

    Ok, So what I want is for a user to be able to manage the users in his own ou, simple.

    The OU is created, and all setup.

    This user's machine is NOT part of the domain, and Windows 7 pro.

    I have installed RSAT tools, and setup the server and client so that they are working, ( I tested it with my domain admin account)

    But when I try to connect as the user, who has no special privileges in the domain, it gets an access denied. I suspect that he must have some subset of privileges in order to access the domain controller, but I can't find out what those are. It is important that he have the least privilege possible.

    Any help would be awesome, Thank you!

  • #2
    Re: Delegate control

    How is the user attempting to access the domain? Network shares, RDP, VPN?

    Is the new OU allowed to log onto the server (have you given it network permission as well as NTFS premission?).

    This OU, does it interact with the Domain in any intresting way (does it have its own controllers and catalog servers?).

    Are there other users in this OU, can they log on, if so, whats different between users. If not, can you create a new user in that OU and see if it can log on.

    Also, can you quickly descrip what you are trying to achive, I am assuming you have a user to be a admin at a branch office, or something along those lines, but we all know what assume stands for.

    Wofen
    Good to be back....

    Comment


    • #3
      Re: Delegate control

      Thank you for your reply, here are the answers;

      How is the user attempting to access the domain? Network shares, RDP, VPN?

      The user is accessing the domain to use shares (on a different file server), that's why he has a domain account, and he will administer all the other users in the work group who reside in the specific OU who want to access the shares. As for the domain controller, he never accesses it directly. I WANT him to use an MMC or RSAT tools to access the server, and have delegated rights only to the OU he is allowed to administer. I tried making an ipc connection to the server, but that didn't help.

      Is the new OU allowed to log onto the server (have you given it network permission as well as NTFS premission?).
      I don't know. Could you be more specific. This is the first time I have tried delegating control of anything. I went through the wizard, and that was it. I did check the the privileges (NTFS??) on the OU, and it does show the user with the correct rights.

      As a side note, how can I tell if an OU has been delegated, and to who? Is there a way besides checking the security?

      This OU, does it interact with the Domain in any interesting way (does it have its own controllers and catalog servers?).
      No.

      Are there other users in this OU, can they log on, if so, whats different between users. If not, can you create a new user in that OU and see if it can log on.
      No. They are all users. I can access it with the MMC or RSAT tools, but I am a domain admin.

      Also, can you quickly describe what you are trying to achieve, I am assuming you have a user to be a admin at a branch office, or something along those lines, but we all know what assume stands for.
      You are correct, this is a user who will need to manage user accounts in a remote office.

      Comment


      • #4
        Re: Delegate control

        Any Thoughts?

        Comment


        • #5
          Re: Delegate control

          Have you run the delegation of control wizard to give the user permissions to access the OU?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Delegate control

            Yes,
            The user does had rights to the OU.

            Also, I gave him "log on locally" rights, and still no go.

            Comment


            • #7
              Re: Delegate control

              Really, it seems that you have checked out most of the easy things.

              Have you checked that he is in the correct groups (remote admin group, ect ect).

              You could also try the Grant Full access, then remove rights. So, make a new group that has all the restrictions in place to make a Admin into a normal user, then add him to that group as well as the Admin. The Deny will take pref, so you cna restirct as much as you want, but if you dont select it, he will have full access (should allow you to basiclly make him a admin, then deny his access to the rest of the forest).

              Please note: I have not done anything like this, just a idea that should work. Please be warned if you are trying it on a production server.

              Wofen
              Good to be back....

              Comment


              • #8
                Re: Delegate control

                "Have you checked that he is in the correct groups (remote admin group, ect ect)."

                I am not sure what you are referring to, there is no remote admin group. I only did the delegation wizard.

                I did add my user created group to the server operators group, and it did not help.

                If I add the user to the domain admins group it works fine, but clearly I do NOT want him a member of the domain admin group.

                Comment


                • #9
                  Re: Delegate control

                  Originally posted by blankmonkey View Post

                  This user's machine is NOT part of the domain, and Windows 7 pro.

                  I have installed RSAT tools, and setup the server and client so that they are working, ( I tested it with my domain admin account)
                  Hi What i understand is that you are trying to access directory services using RSAT from a machine which is not a member of domain.

                  can you try lauching snap in using run as member of domain who has got special priviledge and test if it's working.

                  also try the following if at all the user is getting authenticated when accessing shares. \\domainControllerName it would show you sysvol share, public share folders before that it will try to authenticate the user domain\userName, password. key in the creds and test

                  another test you can do is.. just a test.. join the machine to domain and then test with your intented domain account that is suppose to manage ou and users and verify if the functionality is proper.
                  Last edited by v-2nas; 15th October 2010, 03:37.
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment


                  • #10
                    Re: Delegate control

                    Run as trick did it, you rock, thank you. Here are my instructions I emailed my user;

                    BTW, one additional note for the internet. I got an error when I tried to run a custom mmc from my desktop with the runas command,

                    MMC cannot open the file C:\windows\system32\console1.msc

                    This is because the console1.mmc MUST reside in the system32 dir.

                    Never did get the custom mmc to work correctly, because you have to connect to the domain after starting, but at least it works. anyway, here are my results;

                    First open a cmd window as the administrator
                    Run the cmd;
                    cmdkey /add:<domain Controller> /u:<domain>\<user> /pass
                    enter your password as PASSWRD
                    then run this command;
                    runas /netonly /user:<domain>\<user> "mmc dsa1.msc"
                    enter your password again
                    this will open the users and computers MMC, with an error, just hit ok.
                    On the action menu, select Change Domain, and enter <domain>
                    After you connect, go again to the action menu and select Change domain Controller, and double click on <Domain Controller>, this DC has been configured to work with you.


                    Thanks guys

                    Comment

                    Working...
                    X