Delegate remote access permission

[Guest]

I want to delegate granting/denying of dialin access to our helpdesk. I
enabled Read/Write Remote Access Information on the specific OU and made a
custom mmc and distributed to my helpdesk. The helpdesk can tick/untick grant
dialin access but when clicking Ok it says accesss is denied. What additional
right do I have to tick to make this work? Thanks!

 

[Jorge_de_Almeida_Pinto]

I want to delegate granting/denying of dialin access to our
helpdesk. I
enabled Read/Write Remote Access Information on the specific
OU and made a
custom mmc and distributed to my helpdesk. The helpdesk can
tick/untick grant
dialin access but when clicking Ok it says accesss is denied.
What additional
right do I have to tick to make this work? Thanks!

on one of the DCs open up the file DSSEC.DAT (located in
C:WINDOWSsystem32)

search for msNPAllowDialin=

change the 7 into a 0 (zero), save the file

re-open Active Directory Users and Computers on that same DC. Start
the delegation of control wizard

choose as the object type: user objects
for permissions select: general and property specific

select READ/WRITE msNPAllowDialin

Your done. The helpdesk people should now be able to change select
allow or deny or throught remote access policies DIALIN on the dialin
TAB

good luck

 

[Guest]

hi jorge thanks for the reply! however i wasnt able to locate the READ/WRITE
msNPAllowDialin you were referring to after editing
%windir%\system32\dssec.dat. i attach here the list to prove there is no
msNPAllowDialin

Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Read All Properties
Write All Properties
Change Password
Reset Password
Read and write General Information
Read and write Account Restrictions
Read and write Logon Information
Read and write Group Membership
Read and write Personal Information
Read and write Phone and Mail Options
Read and write Web Information
Read and write Public Information
Read and write Remote Access Information
Allowed to Authenticate
Receive As
Send As
Read accountExpires
Write accountExpires
Read accountNameHistory
Write accountNameHistory
Read adminDescription
Write adminDescription
Read adminDisplayName
Write adminDisplayName
Read Alias
Write Alias
Read altRecipient
Write altRecipient
Read altRecipientBL
Write altRecipientBL
Read altSecurityIdentities
Write altSecurityIdentities
Read Assistant
Write Assistant
Read attributeCertificate
Write attributeCertificate
Read attributeCertificateAttribute
Write attributeCertificateAttribute
Read audio
Write audio
Read authOrig
Write authOrig
Read authOrigBL
Write authOrigBL
Read autoReply
Write autoReply
Read businessCategory
Write businessCategory
Read businessRoles
Write businessRoles
Read carLicense
Write carLicense
Read Comment
Write Comment
Read Company
Write Company
Read Custom Attribute 1
Write Custom Attribute 1
Read Custom Attribute 10
Write Custom Attribute 10
Read Custom Attribute 11
Write Custom Attribute 11
Read Custom Attribute 12
Write Custom Attribute 12
Read Custom Attribute 13
Write Custom Attribute 13
Read Custom Attribute 14
Write Custom Attribute 14
Read Custom Attribute 15
Write Custom Attribute 15
Read Custom Attribute 2
Write Custom Attribute 2
Read Custom Attribute 3
Write Custom Attribute 3
Read Custom Attribute 4
Write Custom Attribute 4
Read Custom Attribute 5
Write Custom Attribute 5
Read Custom Attribute 6
Write Custom Attribute 6
Read Custom Attribute 7
Write Custom Attribute 7
Read Custom Attribute 8
Write Custom Attribute 8
Read Custom Attribute 9
Write Custom Attribute 9
Read deletedItemFlags
Write deletedItemFlags
Read delivContLength
Write delivContLength
Read deliverAndRedirect
Write deliverAndRedirect
Read deliveryMechanism
Write deliveryMechanism
Read delivExtContTypes
Write delivExtContTypes
Read Department
Write Department
Read departmentNumber
Write departmentNumber
Read Description
Write Description
Read desktopProfile
Write desktopProfile
Read Direct Reports
Write Direct Reports
Read Display Name
Write Display Name
Read Division
Write Division
Read dLMemDefault
Write dLMemDefault
Read dLMemRejectPerms
Write dLMemRejectPerms
Read dLMemRejectPermsBL
Write dLMemRejectPermsBL
Read dLMemSubmitPerms
Write dLMemSubmitPerms
Read dLMemSubmitPermsBL
Write dLMemSubmitPermsBL
Read dnQualifier
Write dnQualifier
Read E-Mail Address (Others)
Write E-Mail Address (Others)
Read Employee ID
Write Employee ID
Read employeeNumber
Write employeeNumber
Read employeeType
Write employeeType
Read enabledProtocols
Write enabledProtocols
Read Exchange Home Server
Write Exchange Home Server
Read Exchange Mailbox Store
Write Exchange Mailbox Store
Read expirationTime
Write expirationTime
Read extensionData
Write extensionData
Read Fax Number
Write Fax Number
Read Fax Number (Others)
Write Fax Number (Others)
Read First Name
Write First Name
Read formData
Write formData
Read forwardingAddress
Write forwardingAddress
Read groupMembershipSAM
Write groupMembershipSAM
Read heuristics
Write heuristics
Read Home Address
Write Home Address
Read Home Drive
Write Home Drive
Read Home Folder
Write Home Folder
Read Home Phone
Write Home Phone
Read Home Phone Number (Others)
Write Home Phone Number (Others)
Read homeMTA
Write homeMTA
Read houseIdentifier
Write houseIdentifier
Read ILS Settings
Write ILS Settings
Read importedFrom
Write importedFrom
Read Initials
Write Initials
Read Instant Messaging Address
Write Instant Messaging Address
Read Instant Messaging Home Server URL
Write Instant Messaging Home Server URL
Read Instant Messaging URL
Write Instant Messaging URL
Read International ISDN Number (Others)
Write International ISDN Number (Others)
Read internetEncoding
Write internetEncoding
Read IP Phone Number
Write IP Phone Number
Read IP Phone Number (Others)
Write IP Phone Number (Others)
Read Job Title
Write Job Title
Read jpegPhoto
Write jpegPhoto
Read kMServer
Write kMServer
Read labeledURI
Write labeledURI
Read language
Write language
Read languageCode
Write languageCode
Read lastLogonTimestamp
Write lastLogonTimestamp
Read lockoutTime
Write lockoutTime
Read Logon Name
Write Logon Name
Read Logon Name (pre-Windows 2000)
Write Logon Name (pre-Windows 2000)
Read Logon Workstations
Write Logon Workstations
Read logonHours
Write logonHours
Read logonWorkstation
Write logonWorkstation
Read Manager
Write Manager
Read mAPIRecipient
Write mAPIRecipient
Read mDBOverHardQuotaLimit
Write mDBOverHardQuotaLimit
Read mDBOverQuotaLimit
Write mDBOverQuotaLimit
Read mDBStorageQuota
Write mDBStorageQuota
Read mDBUseDefaults
Write mDBUseDefaults
Read Member Of
Write Member Of
Read Middle Name
Write Middle Name
Read Mobile Number
Write Mobile Number
Read Mobile Number (Others)
Write Mobile Number (Others)
Read mS-DS-CreatorSID
Write mS-DS-CreatorSID
Read msCOM-PartitionSetLink
Write msCOM-PartitionSetLink
Read msCOM-UserLink
Write msCOM-UserLink
Read msCOM-UserPartitionSetLink
Write msCOM-UserPartitionSetLink
Read msDRM-IdentityCertificate
Write msDRM-IdentityCertificate
Read msDS-AllowedToDelegateTo
Write msDS-AllowedToDelegateTo
Read msDS-Approx-Immed-Subordinates
Write msDS-Approx-Immed-Subordinates
Read msDS-Cached-Membership
Write msDS-Cached-Membership
Read msDS-Cached-Membership-Time-Stamp
Write msDS-Cached-Membership-Time-Stamp
Read msDS-KeyVersionNumber
Write msDS-KeyVersionNumber
Read msDs-masteredBy
Write msDs-masteredBy
Read msDS-MembersForAzRoleBL
Write msDS-MembersForAzRoleBL
Read msDS-NCReplCursors
Write msDS-NCReplCursors
Read msDS-NCReplInboundNeighbors
Write msDS-NCReplInboundNeighbors
Read msDS-NCReplOutboundNeighbors
Write msDS-NCReplOutboundNeighbors
Read msDS-NonMembersBL
Write msDS-NonMembersBL
Read msDS-ObjectReferenceBL
Write msDS-ObjectReferenceBL
Read msDS-OperationsForAzRoleBL
Write msDS-OperationsForAzRoleBL
Read msDS-OperationsForAzTaskBL
Write msDS-OperationsForAzTaskBL
Read msDS-ReplAttributeMetaData
Write msDS-ReplAttributeMetaData
Read msDS-ReplValueMetaData
Write msDS-ReplValueMetaData
Read msDS-Site-Affinity
Write msDS-Site-Affinity
Read msDS-TasksForAzRoleBL
Write msDS-TasksForAzRoleBL
Read msDS-TasksForAzTaskBL
Write msDS-TasksForAzTaskBL
Read msDS-User-Account-Control-Computed
Write msDS-User-Account-Control-Computed
Read name
Write name
Read Name
Write Name
Read Notes
Write Notes
Read objectSid
Write objectSid
Read otherLoginWorkstations
Write otherLoginWorkstations
Read Outlook Web Access Server
Write Outlook Web Access Server
Read ownerBL
Write ownerBL
Read Pager Number
Write Pager Number
Read Pager Number (Others)
Write Pager Number (Others)
Read personalPager
Write personalPager
Read Phone Number (Others)
Write Phone Number (Others)
Read photo
Write photo
Read pOPCharacterSet
Write pOPCharacterSet
Read pOPContentFormat
Write pOPContentFormat
Read Post Office Box
Write Post Office Box
Read postalAddress
Write postalAddress
Read preferredLanguage
Write preferredLanguage
Read profilePath
Write profilePath
Read protocolSettings
Write protocolSettings
Read publicDelegates
Write publicDelegates
Read publicDelegatesBL
Write publicDelegatesBL
Read pwdLastSet
Write pwdLastSet
Read replicatedObjectVersion
Write replicatedObjectVersion
Read replicationSensitivity
Write replicationSensitivity
Read replicationSignature
Write replicationSignature
Read roomNumber
Write roomNumber
Read scriptPath
Write scriptPath
Read secretary
Write secretary
Read securityProtocol
Write securityProtocol
Read serialNumber
Write serialNumber
Read street
Write street
Read Street Address
Write Street Address
Read structuralObjectClass
Write structuralObjectClass
Read submissionContLength
Write submissionContLength
Read supportedAlgorithms
Write supportedAlgorithms
Read targetAddress
Write targetAddress
Read Telephone Number
Write Telephone Number
Read telephoneAssistant
Write telephoneAssistant
Read thumbnailLogo
Write thumbnailLogo
Read thumbnailPhoto
Write thumbnailPhoto
Read Title
Write Title
Read tokenGroupsGlobalAndUniversal
Write tokenGroupsGlobalAndUniversal
Read uid
Write uid
Read unauthOrig
Write unauthOrig
Read unauthOrigBL
Write unauthOrigBL
Read unmergedAtts
Write unmergedAtts
Read userAccountControl
Write userAccountControl
Read userCert
Write userCert
Read userCertificate
Write userCertificate
Read userParameters
Write userParameters
Read userPKCS12
Write userPKCS12
Read userSharedFolder
Write userSharedFolder
Read userSharedFolderOther
Write userSharedFolderOther
Read versionNumber
Write versionNumber
Read Web Page Address
Write Web Page Address
Read x500uniqueIdentifier
Write x500uniqueIdentifier
Read ZIP/Postal Code
Write ZIP/Postal Code

 

[Jorge de Almeida Pinto]

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Guest]

hi jorge,

you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!

 

[Guest]

hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!

hi jorge,

you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Jorge de Almeida Pinto [MVP]]

I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to

grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------

 

[Jorge de Almeida Pinto [MVP]]

just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"

I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to

grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

:

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Guest]

Hi Jorge!

That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"

did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?

Thanks for following up on this!

just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"

I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to

grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

:

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

:

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Jorge de Almeida Pinto [MVP]]

Try it yourself...

Through ADSIEDIT I was able to set the attribute to true/false/not set
which corresponds to Allow Dial-in/Deny Dial-in/Through Policies

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Hi Jorge!

That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"

did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?

Thanks for following up on this!

just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"

I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right
to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

:

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write
msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

:

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer].
You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change
the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!

 

[Guest]

Hi Jorge.

I tried setting true/false/not set for NPAllowDialin attribute via Adsiedit.
However this will not work because our helpdesk need to use mmc console to
remote manage AD users. Thanks anyway!

Try it yourself...

Through ADSIEDIT I was able to set the attribute to true/false/not set
which corresponds to Allow Dial-in/Deny Dial-in/Through Policies

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Hi Jorge!

That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"

did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?

Thanks for following up on this!

just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"

explain what you have done

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right
to
grant/deny dialin access via ADUC. just to let you and others know.
thanks!

:

hi jorge,

you are right i changed the msNPAllowDialin option under [computer]
instead
of the [user] section. i was able to delegate Read/Write
msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply
here
about the result. hope it works! thanks very much!

:

Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer].
You
should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change
the
computer option back to its original value and the user option this
time
and try again.

create a custom tasks for USER specific objects

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!