Delegation in AD not working

[Tim McClenahan]

I have successfully used the Delegation Wizard to delegate
permissions to handle all User and Group objects in the
AD. But when my support desk goes to enable an account or
reset a password they get the "Insufficient access rights
to perform the operation" error message. What else do I
need to check out to get this feature up and running?

 

[Joe Richards [MVP]]

This is pretty vague and doesn't really tell us what is truly configured.

Could you give a dsacls dump of a user object you are having issues with and we
can go from there.

joe

 

[Tim McClenahan]

The Delegation Wizard was used to give my support desk the
ability to reset passwords and enable users accounts (aka
user objects), it is not allowing them to do this. The ACL
shows they have these permissions when I view the Advance
section from the Security tap in AD. What else can I tell
you?

 

[Joe Richards [MVP]]

A simple dsacls dump will show the permissions on a specific object and verify
that nothing is overriding what you think you accomplished with the GUI. It is
the quickest way to ascertain what it wrong versus me trying to guess of all the
possible things that could be going on.


dsacls is in the support tools. If you haven't loaded them, they are very easy
to load. Check out http://support.microsoft.com/default.aspx?scid=kb;EN-GB;842813

Once loaded you simply type a command like


dsacls "cn=username,cn=users,dc=domain,dc=com"

with a valid DN and it will create a dump of all the permissions applied to that
object. I can then quickly look at that and determine where you stand and what
the next thing could be that needs to be done.

 

[Tim McClenahan]

Here you go, but the dsacls in no way looks like the
Advance tap in Security:

Access list:
{This object is protected from inheriting permissions from
the parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow BUILTIN\Administrators SPECIAL
ACCESS
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow HENRYMAYO\Enterprise Admins SPECIAL
ACCESS
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow HENRYMAYO\Domain Admins SPECIAL
ACCESS
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
DELETE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow NT AUTHORITY\SYSTEM FULL
CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS
LIST
CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Remote Access Information
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for General Information
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Group Membership
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Account Restrictions
READ
PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS for Logon Information
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Public Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Personal Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for displayName
WRITE
PROPERTY
READ
PROPERTY
Allow Everyone Change
Password

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS
LIST
CONTENTS
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Public Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for Personal Information
WRITE
PROPERTY
READ
PROPERTY
Allow HENRYMAYO\Exchange Enterprise Servers SPECIAL
ACCESS for displayName
WRITE
PROPERTY
READ
PROPERTY

The command completed successfully

-----Original Message-----
A simple dsacls dump will show the permissions on a specific object and verify
that nothing is overriding what you think you

accomplished with the GUI. It is

 

[Joe Richards [MVP]]

That is why I wanted dsacls, it is the most accurate display of what is going on
other than custom scripts I have written and they just display the same info as
dsacls just in a format I like better. )


The ACL presented here almost certainly came from an object that has the
adminSDHolder functionality impacting it. It means the user is or was at some
time in one of the protected groups. The adminSDHolder clears the inherit
permissions tab so anything applied to an OU will not impact one of these IDs
for more than an hour tops before inheritance is cleared and it gets a special
SD slapped down on it by sdprop.

To find out more about adminSDHolder, simply do a google search with the following

adminsdholder site:microsoft.com


Follow some of the links and read them and you will learn what that
functionality is about. Either the users should be impacted that way, they are
specifically in protected groups and SHOULD be protected (and when I am saying
SHOULD I don't necessarily mean I think you think they should be protected, just
that they should be protected) or they are users who are caught in that
functionality accidently either do to previous group membership in the protected
groups or some accident involving a transitive connection. There are various
steps that would need to be followed to clear up the second aspect of the issues
depending on specifically how it happened.

joe