Sign in with
Sign up | Sign in
Your question

Delegate Control to create user accounts

Last response: in Windows 2000/NT
Share
Anonymous
March 7, 2005 7:31:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi everyone.

In win2003, I need to delegate control to create new user accounts on an OU,
without delegating any other rights. This only works partially, that is, new
user object are created, but with a "insufficient rights" warning.
Afterwards, the new user object is disabled.

What minimum permissions do I have to delegate, so that user objects can be
created as well as enabled?


Regards
Thomas
Anonymous
March 7, 2005 9:39:38 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You need the create user permission on the parent container, and the write
property permission on the Reset Password extended right
(user-account-control).

Have a look at the delegation whitepaper.

The delegation of control wizard should do this for you.


Note. You need to view advanced mode to be able to see an objects
permissions.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
Anonymous
March 8, 2005 5:04:33 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:eCtmKS0IFHA.1948@TK2MSFTNGP14.phx.gbl...
> The delegation of control wizard should do this for you.
I've used the wizard, but when I delegate the right to create user objects,
new user accounts can be created, but only in a disabled state. So, the
wizard alone cannot do this.

I can only make it work by setting too large permissions, that is, more than
needed, which causes these permissions on the OU:
Apply onto: "This object and all child objects" : Create user objects

Apply onto: "User objects" : Reset password
(this is bad, since all user accounts in the OU can have their passwords
reset, by users with the users that are only supposed to create new user
accounts).

And now, what makes user creation work, without warnings, but also causes
too many rights:
Apply onto: "User objects" : Write all properties
This last one is a nasty one, it causes the person with the delegated rights
the ability to change all properites on user objects, which is bad.

The users who gets control delegated, must only be able to create new user
accounts. It seems to me, that this isn't possible.
Any ideas?

--
Regards,
Thomas
Related resources
Anonymous
March 10, 2005 11:31:13 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:utVhpsOJFHA.2136@TK2MSFTNGP14.phx.gbl...
> You don't need to grant write all attributes. You just need to be able to
> manipulate the password.

Exactly my point. So, how do I do that?


Regards,
Thomas
Anonymous
March 10, 2005 8:34:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

By granting permission to the extended right - reset password, which is
basically giving you access to modify the USER_ACCOUNT_CONTROL bitwise
attribute.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
Anonymous
March 11, 2005 4:25:12 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:eaz52bZJFHA.1528@TK2MSFTNGP09.phx.gbl...
> By granting permission to the extended right - reset password, which is
> basically giving you access to modify the USER_ACCOUNT_CONTROL bitwise
> attribute.

I allready did that, please see my post from march 3rd. As I wrote there,
this affects all user objects, not just new user objects.

--
Regards,
Thomas
!