Delegate Control to create user accounts

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi everyone.

In win2003, I need to delegate control to create new user accounts on an OU,
without delegating any other rights. This only works partially, that is, new
user object are created, but with a "insufficient rights" warning.
Afterwards, the new user object is disabled.

What minimum permissions do I have to delegate, so that user objects can be
created as well as enabled?


Regards
Thomas
6 answers Last reply
More about delegate control create user accounts
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You need the create user permission on the parent container, and the write
    property permission on the Reset Password extended right
    (user-account-control).

    Have a look at the delegation whitepaper.

    The delegation of control wizard should do this for you.


    Note. You need to view advanced mode to be able to see an objects
    permissions.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:eCtmKS0IFHA.1948@TK2MSFTNGP14.phx.gbl...
    > The delegation of control wizard should do this for you.
    I've used the wizard, but when I delegate the right to create user objects,
    new user accounts can be created, but only in a disabled state. So, the
    wizard alone cannot do this.

    I can only make it work by setting too large permissions, that is, more than
    needed, which causes these permissions on the OU:
    Apply onto: "This object and all child objects" : Create user objects

    Apply onto: "User objects" : Reset password
    (this is bad, since all user accounts in the OU can have their passwords
    reset, by users with the users that are only supposed to create new user
    accounts).

    And now, what makes user creation work, without warnings, but also causes
    too many rights:
    Apply onto: "User objects" : Write all properties
    This last one is a nasty one, it causes the person with the delegated rights
    the ability to change all properites on user objects, which is bad.

    The users who gets control delegated, must only be able to create new user
    accounts. It seems to me, that this isn't possible.
    Any ideas?

    --
    Regards,
    Thomas
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You don't need to grant write all attributes. You just need to be able to
    manipulate the password.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:utVhpsOJFHA.2136@TK2MSFTNGP14.phx.gbl...
    > You don't need to grant write all attributes. You just need to be able to
    > manipulate the password.

    Exactly my point. So, how do I do that?


    Regards,
    Thomas
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    By granting permission to the extended right - reset password, which is
    basically giving you access to modify the USER_ACCOUNT_CONTROL bitwise
    attribute.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:eaz52bZJFHA.1528@TK2MSFTNGP09.phx.gbl...
    > By granting permission to the extended right - reset password, which is
    > basically giving you access to modify the USER_ACCOUNT_CONTROL bitwise
    > attribute.

    I allready did that, please see my post from march 3rd. As I wrote there,
    this affects all user objects, not just new user objects.

    --
    Regards,
    Thomas
Ask a new question

Read More

Microsoft User Accounts Active Directory Windows