AD permissions

Ade

Distinguished
May 5, 2004
81
0
18,630
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi, two issues....

I have been trying to delegate rights via an OU, when I add a user or group
and assign permission it says it has been successful. However, when I go
back in using the delegation wizard again, there is no user or group listed
in the add/remove window, has anyone seen this before and know what the
issue may be?

Whilst testing this, I also logged onto my machine (which has the AD client
tools installed) as a normal user who is ony a member of domain users and
opened ADU&C.......I was horrified to find that not only could I create a
new user, but also delete an existing one, from ANY OU. Does anyone know
what could have happenned, there are no delegated rights on the domain, or
any OU's other that the ones I tried to setup (which dont look like they
work anyhow)

Can anyone offer help/advice, much appreciated.
 

Ade

Distinguished
May 5, 2004
81
0
18,630
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Could it have anything to do with the Pre-Windows 2000 Compatible Access
group?

"ade" <someone@nowhere.com> wrote in message
news:elN4$OgjFHA.2644@TK2MSFTNGP09.phx.gbl...
> Hi, two issues....
>
> I have been trying to delegate rights via an OU, when I add a user or
group
> and assign permission it says it has been successful. However, when I go
> back in using the delegation wizard again, there is no user or group
listed
> in the add/remove window, has anyone seen this before and know what the
> issue may be?
>
> Whilst testing this, I also logged onto my machine (which has the AD
client
> tools installed) as a normal user who is ony a member of domain users and
> opened ADU&C.......I was horrified to find that not only could I create a
> new user, but also delete an existing one, from ANY OU. Does anyone know
> what could have happenned, there are no delegated rights on the domain, or
> any OU's other that the ones I tried to setup (which dont look like they
> work anyhow)
>
> Can anyone offer help/advice, much appreciated.
>
>
 

Ade

Distinguished
May 5, 2004
81
0
18,630
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Some more info for you to go on......when I look at the security permissions
on the OU's themselves, the 'everyone' group appears to be able to have full
write acces under advanced/edit, please can someone let me know if this is
what could acuse the above, I'd rather not change it incase something were
to go wrong.

Any help much appreciated.

"ade" <someone@nowhere.com> wrote in message
news:e4$wdTqjFHA.232@TK2MSFTNGP10.phx.gbl...
> Could it have anything to do with the Pre-Windows 2000 Compatible Access
> group?
>
> "ade" <someone@nowhere.com> wrote in message
> news:elN4$OgjFHA.2644@TK2MSFTNGP09.phx.gbl...
> > Hi, two issues....
> >
> > I have been trying to delegate rights via an OU, when I add a user or
> group
> > and assign permission it says it has been successful. However, when I
go
> > back in using the delegation wizard again, there is no user or group
> listed
> > in the add/remove window, has anyone seen this before and know what the
> > issue may be?
> >
> > Whilst testing this, I also logged onto my machine (which has the AD
> client
> > tools installed) as a normal user who is ony a member of domain users
and
> > opened ADU&C.......I was horrified to find that not only could I create
a
> > new user, but also delete an existing one, from ANY OU. Does anyone
know
> > what could have happenned, there are no delegated rights on the domain,
or
> > any OU's other that the ones I tried to setup (which dont look like they
> > work anyhow)
> >
> > Can anyone offer help/advice, much appreciated.
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> Hi, two issues....
>
> I have been trying to delegate rights via an OU, when I add a
> user or group
> and assign permission it says it has been successful.
> However, when I go
> back in using the delegation wizard again, there is no user or
> group listed
> in the add/remove window, has anyone seen this before and know
> what the
> issue may be?
>
> Whilst testing this, I also logged onto my machine (which has
> the AD client
> tools installed) as a normal user who is ony a member of
> domain users and
> opened ADU&C.......I was horrified to find that not only could
> I create a
> new user, but also delete an existing one, from ANY OU. Does
> anyone know
> what could have happenned, there are no delegated rights on
> the domain, or
> any OU's other that the ones I tried to setup (which dont look
> like they
> work anyhow)
>
> Can anyone offer help/advice, much appreciated.

check the membership of the default MS admin groups (domain admins,
administrators, enterprise admins, account operators) and the ACE on
the domain object and the OUs

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-AD-permissions-ftopict398821.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1317983
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

I have just tested access to ADUC and as a bog standard domain user the
admin tools dont appear on the start menu however yo can create an mmc
with ADUC in.

With this you can indeed open ADUC and see the domain and all the users
but when trying to modify anything like a password or resetting an
account or deleting an account it gives an access denied....phew!!

had me worried there

Si


--
pscyimePosted from http://www.pcreview.co.uk/ newsgroup access
 

Ade

Distinguished
May 5, 2004
81
0
18,630
Archived from groups: microsoft.public.win2000.active_directory (More info?)

OK - nothing regarding bormal users and groups in the admin groups.

When I look at the advanced security settings on the OU's and users etcm the
'everyone' group has various write permissions, can someone let me know if
this is the norm please?


"Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1317983_f6310cd09d2de8a1a9325c7f52f7a4c1@windowsforumz.com...
> "" wrote:
> > Hi, two issues....
> >
> > I have been trying to delegate rights via an OU, when I add a
> > user or group
> > and assign permission it says it has been successful.
> > However, when I go
> > back in using the delegation wizard again, there is no user or
> > group listed
> > in the add/remove window, has anyone seen this before and know
> > what the
> > issue may be?
> >
> > Whilst testing this, I also logged onto my machine (which has
> > the AD client
> > tools installed) as a normal user who is ony a member of
> > domain users and
> > opened ADU&C.......I was horrified to find that not only could
> > I create a
> > new user, but also delete an existing one, from ANY OU. Does
> > anyone know
> > what could have happenned, there are no delegated rights on
> > the domain, or
> > any OU's other that the ones I tried to setup (which dont look
> > like they
> > work anyhow)
> >
> > Can anyone offer help/advice, much appreciated.
>
> check the membership of the default MS admin groups (domain admins,
> administrators, enterprise admins, account operators) and the ACE on
> the domain object and the OUs
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Active-Directory-AD-permissions-ftopict398821.html
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1317983
 

Ade

Distinguished
May 5, 2004
81
0
18,630
Archived from groups: microsoft.public.win2000.active_directory (More info?)

OK - still no joy as yet, can someone let me know of there is a tool or
similar that can set group permissions back to the default (e.g. domain
users, everyone etc) as this is making me pull my hair out.

TIA

"ade" <someone@nowhere.com> wrote in message
news:elN4$OgjFHA.2644@TK2MSFTNGP09.phx.gbl...
> Hi, two issues....
>
> I have been trying to delegate rights via an OU, when I add a user or
group
> and assign permission it says it has been successful. However, when I go
> back in using the delegation wizard again, there is no user or group
listed
> in the add/remove window, has anyone seen this before and know what the
> issue may be?
>
> Whilst testing this, I also logged onto my machine (which has the AD
client
> tools installed) as a normal user who is ony a member of domain users and
> opened ADU&C.......I was horrified to find that not only could I create a
> new user, but also delete an existing one, from ANY OU. Does anyone know
> what could have happenned, there are no delegated rights on the domain, or
> any OU's other that the ones I tried to setup (which dont look like they
> work anyhow)
>
> Can anyone offer help/advice, much appreciated.
>
>