AD Delegation

R

Richard

I have enabled delegation so that I can give a certain
user the right to unlock user accounts. However, I
cannot seem to unlock user accounts that have been
migrated from NT 4 to the new domain. I can however
unlock accounts created in the new domain.

Any ideas out there.

Thanks everyone for your help,
Richard
 
G

Guest

-----Original Message-----
What tool are you using to unlock the account?
.
Click to expand...
==========================================================
AD Users and Computers. I have modified the file to
allow and administrator to delegate a group or a user to
unlock accounts on an OU that I have created. That user
that I have granted that right to however cannot unlock
accounts that have been migrated to Active Directory. I
at first thought the delegation was not working, however
that user can unlock accounts that have been created
within AD. It is a Windows 2003 domain.
 
J

Jack

I am sure you've already checked this, but I just want to
make sure we cover the basics. When accounts are
migrated from NT to AD, they are typically put into the
Users container. If you are placing security on an OU,
the user container will not be in the proper scope.
Delegation works via inheritance, so only things down
from where the security is set will be affected.

That is a working e-mail address if you want to e-mail me.

-Jack
 
J

Joe Richards [MVP]

Use DSACLS to dump the ACL for an account that works and one that doesn't. Post them both. I am guessing the delegation
is not working as you expect because possibly the accounts don't have inheritence enabled for some reason.

joe
 
G

Guest

I guess so too. We have just completed a large pristine forest migration and see this problem, it's down to inheritance being off on certain objects. I cannot see why it goes off but it seems to be a migrational issue, but not with ALL accounts migrated from NT4, there is no pattern emerging as of yet

Ben
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Delegation question 2
Delegation of Control 1
Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out 1
Delegate Authority to Unlock Users 2
not saving security settings 3
delegation wizard problem.. 4
Delegate Permissions on OU 1
Delegation 1

Top