Delegate Control to create user accounts

T

Thomas M

Hi everyone.

In win2003, I need to delegate control to create new user accounts on an OU,
without delegating any other rights. This only works partially, that is, new
user object are created, but with a "insufficient rights" warning.
Afterwards, the new user object is disabled.

What minimum permissions do I have to delegate, so that user objects can be
created as well as enabled?


Regards
Thomas
 
P

ptwilliams

You need the create user permission on the parent container, and the write
property permission on the Reset Password extended right
(user-account-control).

Have a look at the delegation whitepaper.

The delegation of control wizard should do this for you.


Note. You need to view advanced mode to be able to see an objects
permissions.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
T

Thomas M

ptwilliams said:
The delegation of control wizard should do this for you.
Click to expand...
I've used the wizard, but when I delegate the right to create user objects,
new user accounts can be created, but only in a disabled state. So, the
wizard alone cannot do this.

I can only make it work by setting too large permissions, that is, more than
needed, which causes these permissions on the OU:
Apply onto: "This object and all child objects" : Create user objects

Apply onto: "User objects" : Reset password
(this is bad, since all user accounts in the OU can have their passwords
reset, by users with the users that are only supposed to create new user
accounts).

And now, what makes user creation work, without warnings, but also causes
too many rights:
Apply onto: "User objects" : Write all properties
This last one is a nasty one, it causes the person with the delegated rights
the ability to change all properites on user objects, which is bad.

The users who gets control delegated, must only be able to create new user
accounts. It seems to me, that this isn't possible.
Any ideas?
 
T

Thomas M

ptwilliams said:
You don't need to grant write all attributes. You just need to be able to
manipulate the password.
Click to expand...

Exactly my point. So, how do I do that?


Regards,
Thomas
 
T

Thomas M

ptwilliams said:
By granting permission to the extended right - reset password, which is
basically giving you access to modify the USER_ACCOUNT_CONTROL bitwise
attribute.
Click to expand...

I allready did that, please see my post from march 3rd. As I wrote there,
this affects all user objects, not just new user objects.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

delegate control over workstations by OU 2
Delegate rights to unlock accounts 6
Delegating Administrative rights to OU's 5
Delegate control problems 1
Delegate Control - locked accounts 2
Delegate Control of Active Directory 4
How to delegate rights to "move" objects ? 1
Delegate Control of OU Help Needed 1

Top