Results 1 to 6 of 6

Thread: Delegated account control is getting access denied

  1. #1
    youngy99.at.hotmail.com Guest

    Delegated account control is getting access denied

    Hi everyone,

    I'll skip over some of the things I have tried. But basically the situation
    is this:

    I create a barnd new account and delegate these controls for the account
    specifically:-

    allow reset account
    allow read pwdLastSet
    allow write pwdLastSet

    Now that user can select and tick the box for 'user must change password at
    next logon' for any user in the container that delegation has been set up
    for. However once this has been selected and applied that user cannot remove
    the tick form the tick box - same object.

    You get an error - The following Active Directory error occurred: Access is
    denied

    But there are no explicit denies for this user and the delegation that has
    been set up. Plus if there was surely you would not be able to tick the
    option in the first place.

    Anyone have experience with this sort of issue?



  2. #2
    Meinolf Weber Guest

    Re: Delegated account control is getting access denied

    Hello youngy99.at.hotmail.com,

    Did you use the delegate control wizard or set this by hand?

    Check out this one:
    http://support.microsoft.com/kb/294952/en-us

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

    > Hi everyone,
    >
    > I'll skip over some of the things I have tried. But basically the
    > situation is this:
    >
    > I create a barnd new account and delegate these controls for the
    > account specifically:-
    >
    > allow reset account
    > allow read pwdLastSet
    > allow write pwdLastSet
    > Now that user can select and tick the box for 'user must change
    > password at next logon' for any user in the container that delegation
    > has been set up for. However once this has been selected and applied
    > that user cannot remove the tick form the tick box - same object.
    >
    > You get an error - The following Active Directory error occurred:
    > Access is denied
    >
    > But there are no explicit denies for this user and the delegation that
    > has been set up. Plus if there was surely you would not be able to
    > tick the option in the first place.
    >
    > Anyone have experience with this sort of issue?
    >




  3. #3
    youngy99.at.hotmail.com Guest

    Re: Delegated account control is getting access denied

    Hi,

    I have used both the wizard - which simply applies those security settings.
    As well as manually set the allow options for the three settings already
    covered.

    I think the issue is deeper than use of the wizard.

    Cheers

    "Meinolf Weber" wrote:

    > Hello youngy99.at.hotmail.com,
    >
    > Did you use the delegate control wizard or set this by hand?
    >
    > Check out this one:
    > http://support.microsoft.com/kb/294952/en-us
    >
    > Best regards
    >
    > Meinolf Weber
    > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    > no rights.
    > ** Please do NOT email, only reply to Newsgroups
    > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >
    > > Hi everyone,
    > >
    > > I'll skip over some of the things I have tried. But basically the
    > > situation is this:
    > >
    > > I create a barnd new account and delegate these controls for the
    > > account specifically:-
    > >
    > > allow reset account
    > > allow read pwdLastSet
    > > allow write pwdLastSet
    > > Now that user can select and tick the box for 'user must change
    > > password at next logon' for any user in the container that delegation
    > > has been set up for. However once this has been selected and applied
    > > that user cannot remove the tick form the tick box - same object.
    > >
    > > You get an error - The following Active Directory error occurred:
    > > Access is denied
    > >
    > > But there are no explicit denies for this user and the delegation that
    > > has been set up. Plus if there was surely you would not be able to
    > > tick the option in the first place.
    > >
    > > Anyone have experience with this sort of issue?
    > >

    >
    >
    >


  4. #4
    Meinolf Weber Guest

    Re: Delegated account control is getting access denied

    Hello youngy99.at.hotmail.com,

    Open the properties from the OU where you have added the account, go to Security
    tab, advanced and check in the permissions window, that you can see your
    account there. Please post all ALLOW fields only for this account with the
    following fields: Permission and Apply to.

    I have also an account created only for reset passwords and unlock accounts
    and in my test it works that the user can check and uncheck the 'user must
    change password at next logon' field. I have 4 ALLOW entries there for my
    test account.

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

    > Hi,
    >
    > I have used both the wizard - which simply applies those security
    > settings. As well as manually set the allow options for the three
    > settings already covered.
    >
    > I think the issue is deeper than use of the wizard.
    >
    > Cheers
    >
    > "Meinolf Weber" wrote:
    >
    >> Hello youngy99.at.hotmail.com,
    >>
    >> Did you use the delegate control wizard or set this by hand?
    >>
    >> Check out this one:
    >> http://support.microsoft.com/kb/294952/en-us
    >> Best regards
    >>
    >> Meinolf Weber
    >> Disclaimer: This posting is provided "AS IS" with no warranties, and
    >> confers
    >> no rights.
    >> ** Please do NOT email, only reply to Newsgroups
    >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >>> Hi everyone,
    >>>
    >>> I'll skip over some of the things I have tried. But basically the
    >>> situation is this:
    >>>
    >>> I create a barnd new account and delegate these controls for the
    >>> account specifically:-
    >>>
    >>> allow reset account
    >>> allow read pwdLastSet
    >>> allow write pwdLastSet
    >>> Now that user can select and tick the box for 'user must change
    >>> password at next logon' for any user in the container that
    >>> delegation
    >>> has been set up for. However once this has been selected and applied
    >>> that user cannot remove the tick form the tick box - same object.
    >>> You get an error - The following Active Directory error occurred:
    >>> Access is denied
    >>>
    >>> But there are no explicit denies for this user and the delegation
    >>> that has been set up. Plus if there was surely you would not be able
    >>> to tick the option in the first place.
    >>>
    >>> Anyone have experience with this sort of issue?
    >>>




  5. #5
    youngy99.at.hotmail.com Guest

    Re: Delegated account control is getting access denied

    Hi,

    The problem turned out to be that "Authenticated Users" did not have
    "Unexpire Password" and "Update Password Not Required Bit" (default setting)
    at the domain level. Both being applied to 'this object only'

    Issue solved!

    "Meinolf Weber" wrote:

    > Hello youngy99.at.hotmail.com,
    >
    > Open the properties from the OU where you have added the account, go to Security
    > tab, advanced and check in the permissions window, that you can see your
    > account there. Please post all ALLOW fields only for this account with the
    > following fields: Permission and Apply to.
    >
    > I have also an account created only for reset passwords and unlock accounts
    > and in my test it works that the user can check and uncheck the 'user must
    > change password at next logon' field. I have 4 ALLOW entries there for my
    > test account.
    >
    > Best regards
    >
    > Meinolf Weber
    > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    > no rights.
    > ** Please do NOT email, only reply to Newsgroups
    > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >
    > > Hi,
    > >
    > > I have used both the wizard - which simply applies those security
    > > settings. As well as manually set the allow options for the three
    > > settings already covered.
    > >
    > > I think the issue is deeper than use of the wizard.
    > >
    > > Cheers
    > >
    > > "Meinolf Weber" wrote:
    > >
    > >> Hello youngy99.at.hotmail.com,
    > >>
    > >> Did you use the delegate control wizard or set this by hand?
    > >>
    > >> Check out this one:
    > >> http://support.microsoft.com/kb/294952/en-us
    > >> Best regards
    > >>
    > >> Meinolf Weber
    > >> Disclaimer: This posting is provided "AS IS" with no warranties, and
    > >> confers
    > >> no rights.
    > >> ** Please do NOT email, only reply to Newsgroups
    > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    > >>> Hi everyone,
    > >>>
    > >>> I'll skip over some of the things I have tried. But basically the
    > >>> situation is this:
    > >>>
    > >>> I create a barnd new account and delegate these controls for the
    > >>> account specifically:-
    > >>>
    > >>> allow reset account
    > >>> allow read pwdLastSet
    > >>> allow write pwdLastSet
    > >>> Now that user can select and tick the box for 'user must change
    > >>> password at next logon' for any user in the container that
    > >>> delegation
    > >>> has been set up for. However once this has been selected and applied
    > >>> that user cannot remove the tick form the tick box - same object.
    > >>> You get an error - The following Active Directory error occurred:
    > >>> Access is denied
    > >>>
    > >>> But there are no explicit denies for this user and the delegation
    > >>> that has been set up. Plus if there was surely you would not be able
    > >>> to tick the option in the first place.
    > >>>
    > >>> Anyone have experience with this sort of issue?
    > >>>

    >
    >
    >


  6. #6
    Jorge de Almeida Pinto [MVP - DS] Guest

    Re: Delegated account control is getting access denied

    also see:
    http://blogs.dirteam.com/blogs/jorge...r-objects.aspx

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
    "youngy99.at.hotmail.com" <youngy99athotmailcom@discussions.microsoft.com>
    wrote in message news:1198EA84-9520-4DC5-B24B-1B48095C8C90@microsoft.com...
    > Hi,
    >
    > The problem turned out to be that "Authenticated Users" did not have
    > "Unexpire Password" and "Update Password Not Required Bit" (default
    > setting)
    > at the domain level. Both being applied to 'this object only'
    >
    > Issue solved!
    >
    > "Meinolf Weber" wrote:
    >
    >> Hello youngy99.at.hotmail.com,
    >>
    >> Open the properties from the OU where you have added the account, go to
    >> Security
    >> tab, advanced and check in the permissions window, that you can see your
    >> account there. Please post all ALLOW fields only for this account with
    >> the
    >> following fields: Permission and Apply to.
    >>
    >> I have also an account created only for reset passwords and unlock
    >> accounts
    >> and in my test it works that the user can check and uncheck the 'user
    >> must
    >> change password at next logon' field. I have 4 ALLOW entries there for my
    >> test account.
    >>
    >> Best regards
    >>
    >> Meinolf Weber
    >> Disclaimer: This posting is provided "AS IS" with no warranties, and
    >> confers
    >> no rights.
    >> ** Please do NOT email, only reply to Newsgroups
    >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >>
    >> > Hi,
    >> >
    >> > I have used both the wizard - which simply applies those security
    >> > settings. As well as manually set the allow options for the three
    >> > settings already covered.
    >> >
    >> > I think the issue is deeper than use of the wizard.
    >> >
    >> > Cheers
    >> >
    >> > "Meinolf Weber" wrote:
    >> >
    >> >> Hello youngy99.at.hotmail.com,
    >> >>
    >> >> Did you use the delegate control wizard or set this by hand?
    >> >>
    >> >> Check out this one:
    >> >> http://support.microsoft.com/kb/294952/en-us
    >> >> Best regards
    >> >>
    >> >> Meinolf Weber
    >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
    >> >> confers
    >> >> no rights.
    >> >> ** Please do NOT email, only reply to Newsgroups
    >> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >> >>> Hi everyone,
    >> >>>
    >> >>> I'll skip over some of the things I have tried. But basically the
    >> >>> situation is this:
    >> >>>
    >> >>> I create a barnd new account and delegate these controls for the
    >> >>> account specifically:-
    >> >>>
    >> >>> allow reset account
    >> >>> allow read pwdLastSet
    >> >>> allow write pwdLastSet
    >> >>> Now that user can select and tick the box for 'user must change
    >> >>> password at next logon' for any user in the container that
    >> >>> delegation
    >> >>> has been set up for. However once this has been selected and applied
    >> >>> that user cannot remove the tick form the tick box - same object.
    >> >>> You get an error - The following Active Directory error occurred:
    >> >>> Access is denied
    >> >>>
    >> >>> But there are no explicit denies for this user and the delegation
    >> >>> that has been set up. Plus if there was surely you would not be able
    >> >>> to tick the option in the first place.
    >> >>>
    >> >>> Anyone have experience with this sort of issue?
    >> >>>

    >>
    >>
    >>



Similar Threads

  1. Stuck on a guest account, cannot access windows 7 admin account
    By LavaStones in forum Windows Software
    Replies: 1
    Last Post: 11-02-2011, 09:49 PM
  2. Server Error 998: Access to the account was denied
    By Aamani in forum Networking & Security
    Replies: 6
    Last Post: 19-08-2010, 11:29 AM
  3. Replies: 1
    Last Post: 19-10-2009, 09:48 AM
  4. Replies: 7
    Last Post: 26-04-2008, 10:24 AM
  5. Replies: 2
    Last Post: 24-05-2007, 09:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •