Announcement

Collapse
No announcement yet.

User cannot manage object in AD after Managed By enabled

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User cannot manage object in AD after Managed By enabled

    Hi,

    Hope someone can Help.

    We have a Forest root domain and a new domain was created in the same forest.

    After creating the new domain users existing in that new domain are unable to manage objects in AD.

    We have a distribution group in the Forest root and a user in the new domain has been granted the Managed By permission on this group.

    When users attempts to amend the DL they receive an error adivising them
    they do not permissions.

    Can anyone give me some advice on this please, I assume it must be to do with trust relationships between the domains.

    Many Thanks

    Scott

  • #2
    Re: User cannot manage object in AD after Managed By enabled

    > Managed By

    Nope, has nothing to do with trusts. This attribute does NOTHING except to register who to contact. To actually enable an account to change a group, you need to set permissions on the group. Or alternatively, on its parent OU.

    Comment


    • #3
      Re: User cannot manage object in AD after Managed By enabled

      Have you selected the "Manager can update membership list" checkbox (if this is W2K3 Admin Tools) ?

      As Willem already mentioned, ManagedBy attribute does nothing to the ACL. Checking the "Manager can update membership list" will actually add the required permissions in the background.
      Notice that the UI will not let you grant "Managed By" to a security group, but you can still achieve it with other tools like dsmod, admod, etc...

      Also, if you made the DL hidden from the GAL, check out the following KB: http://support.microsoft.com/?kbid=910808
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment

      Working...
      X