Can not edit user properties

G

Guest

A problems has arisen with editing domain user properties. My helpdesk group had the ability to unlock user accounts and change information until last week. In an effort to get a patch applied to all of our domain workstations I put the domain users group into the domain admins group. This way the users had install privileges and could install the patch. After applying the patch I removed the users group from the admins group. However, since that time our helpdesk (which has some delegated authority) can not access any of the users properties, it is all grayed out. I have re-delegated the helpdesk group on the domain users OU, which has allowed the helpdesk access to the OU properties, but the users properties are still grayed. Any suggestions would be appreciated.
 
M

Matjaz Ladava [MVP]

Never add Domain Users in Domain Admins group, rather give them local Admin
rights on their workstations trough restricted groups policy settings.
What users can do on AD objects is governed by permissions. In active
directory users and computers under advanced view enable Advanced features
and next see the security settings on user objects to check what permissions
apply. Use delegation of control wizard on your OU to set again permissions
for your helpdesk personnel.

--

Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
G

Guest

I had done as you suggested and found that the "Inherit permissions.." box (at the user level) was cleared for all users. I then checked the security/advanced window (at the OU level) and found that the "Apply these permissions.." box was also cleared. I have checked that box in hopes that the permissions applied to the OU will propagate down to the users

----- Matjaz Ladava [MVP] wrote: ----

Never add Domain Users in Domain Admins group, rather give them local Admin
rights on their workstations trough restricted groups policy settings
What users can do on AD objects is governed by permissions. In active
directory users and computers under advanced view enable Advanced features
and next see the security settings on user objects to check what permissions
apply. Use delegation of control wizard on your OU to set again permissions
for your helpdesk personnel

--

Regard
Matjaz Ladava, MCSA, MCSE, MCT, MV
Microsoft MVP Windows Server - Active Director
(e-mail address removed), (e-mail address removed)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegation not working 1
Permissions not applied to every user 4
Prevent users from joining Computers to domain? 4
How do I apply a GPO to an individual user for his computer only? 2
delegation for user container - delgated users cant administer someuser accounts 1
How to prevent user to see default AD containers? 1
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
not saving security settings 3

Top