Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Delegated account control is getting access denied

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 06-05-2008
youngy99.at.hotmail.com
 
Posts: n/a
Delegated account control is getting access denied

Hi everyone,

I'll skip over some of the things I have tried. But basically the situation
is this:

I create a barnd new account and delegate these controls for the account
specifically:-

allow reset account
allow read pwdLastSet
allow write pwdLastSet

Now that user can select and tick the box for 'user must change password at
next logon' for any user in the container that delegation has been set up
for. However once this has been selected and applied that user cannot remove
the tick form the tick box - same object.

You get an error - The following Active Directory error occurred: Access is
denied

But there are no explicit denies for this user and the delegation that has
been set up. Plus if there was surely you would not be able to tick the
option in the first place.

Anyone have experience with this sort of issue?



Reply With Quote
  #2  
Old 06-05-2008
Meinolf Weber
 
Posts: n/a
Re: Delegated account control is getting access denied

Hello youngy99.at.hotmail.com,

Did you use the delegate control wizard or set this by hand?

Check out this one:
http://support.microsoft.com/kb/294952/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi everyone,
>
> I'll skip over some of the things I have tried. But basically the
> situation is this:
>
> I create a barnd new account and delegate these controls for the
> account specifically:-
>
> allow reset account
> allow read pwdLastSet
> allow write pwdLastSet
> Now that user can select and tick the box for 'user must change
> password at next logon' for any user in the container that delegation
> has been set up for. However once this has been selected and applied
> that user cannot remove the tick form the tick box - same object.
>
> You get an error - The following Active Directory error occurred:
> Access is denied
>
> But there are no explicit denies for this user and the delegation that
> has been set up. Plus if there was surely you would not be able to
> tick the option in the first place.
>
> Anyone have experience with this sort of issue?
>



Reply With Quote
  #3  
Old 08-05-2008
youngy99.at.hotmail.com
 
Posts: n/a
Re: Delegated account control is getting access denied

Hi,

I have used both the wizard - which simply applies those security settings.
As well as manually set the allow options for the three settings already
covered.

I think the issue is deeper than use of the wizard.

Cheers

"Meinolf Weber" wrote:

> Hello youngy99.at.hotmail.com,
>
> Did you use the delegate control wizard or set this by hand?
>
> Check out this one:
> http://support.microsoft.com/kb/294952/en-us
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi everyone,
> >
> > I'll skip over some of the things I have tried. But basically the
> > situation is this:
> >
> > I create a barnd new account and delegate these controls for the
> > account specifically:-
> >
> > allow reset account
> > allow read pwdLastSet
> > allow write pwdLastSet
> > Now that user can select and tick the box for 'user must change
> > password at next logon' for any user in the container that delegation
> > has been set up for. However once this has been selected and applied
> > that user cannot remove the tick form the tick box - same object.
> >
> > You get an error - The following Active Directory error occurred:
> > Access is denied
> >
> > But there are no explicit denies for this user and the delegation that
> > has been set up. Plus if there was surely you would not be able to
> > tick the option in the first place.
> >
> > Anyone have experience with this sort of issue?
> >

>
>
>

Reply With Quote
  #4  
Old 08-05-2008
Meinolf Weber
 
Posts: n/a
Re: Delegated account control is getting access denied

Hello youngy99.at.hotmail.com,

Open the properties from the OU where you have added the account, go to Security
tab, advanced and check in the permissions window, that you can see your
account there. Please post all ALLOW fields only for this account with the
following fields: Permission and Apply to.

I have also an account created only for reset passwords and unlock accounts
and in my test it works that the user can check and uncheck the 'user must
change password at next logon' field. I have 4 ALLOW entries there for my
test account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> I have used both the wizard - which simply applies those security
> settings. As well as manually set the allow options for the three
> settings already covered.
>
> I think the issue is deeper than use of the wizard.
>
> Cheers
>
> "Meinolf Weber" wrote:
>
>> Hello youngy99.at.hotmail.com,
>>
>> Did you use the delegate control wizard or set this by hand?
>>
>> Check out this one:
>> http://support.microsoft.com/kb/294952/en-us
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi everyone,
>>>
>>> I'll skip over some of the things I have tried. But basically the
>>> situation is this:
>>>
>>> I create a barnd new account and delegate these controls for the
>>> account specifically:-
>>>
>>> allow reset account
>>> allow read pwdLastSet
>>> allow write pwdLastSet
>>> Now that user can select and tick the box for 'user must change
>>> password at next logon' for any user in the container that
>>> delegation
>>> has been set up for. However once this has been selected and applied
>>> that user cannot remove the tick form the tick box - same object.
>>> You get an error - The following Active Directory error occurred:
>>> Access is denied
>>>
>>> But there are no explicit denies for this user and the delegation
>>> that has been set up. Plus if there was surely you would not be able
>>> to tick the option in the first place.
>>>
>>> Anyone have experience with this sort of issue?
>>>



Reply With Quote
  #5  
Old 15-05-2008
youngy99.at.hotmail.com
 
Posts: n/a
Re: Delegated account control is getting access denied

Hi,

The problem turned out to be that "Authenticated Users" did not have
"Unexpire Password" and "Update Password Not Required Bit" (default setting)
at the domain level. Both being applied to 'this object only'

Issue solved!

"Meinolf Weber" wrote:

> Hello youngy99.at.hotmail.com,
>
> Open the properties from the OU where you have added the account, go to Security
> tab, advanced and check in the permissions window, that you can see your
> account there. Please post all ALLOW fields only for this account with the
> following fields: Permission and Apply to.
>
> I have also an account created only for reset passwords and unlock accounts
> and in my test it works that the user can check and uncheck the 'user must
> change password at next logon' field. I have 4 ALLOW entries there for my
> test account.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi,
> >
> > I have used both the wizard - which simply applies those security
> > settings. As well as manually set the allow options for the three
> > settings already covered.
> >
> > I think the issue is deeper than use of the wizard.
> >
> > Cheers
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello youngy99.at.hotmail.com,
> >>
> >> Did you use the delegate control wizard or set this by hand?
> >>
> >> Check out this one:
> >> http://support.microsoft.com/kb/294952/en-us
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi everyone,
> >>>
> >>> I'll skip over some of the things I have tried. But basically the
> >>> situation is this:
> >>>
> >>> I create a barnd new account and delegate these controls for the
> >>> account specifically:-
> >>>
> >>> allow reset account
> >>> allow read pwdLastSet
> >>> allow write pwdLastSet
> >>> Now that user can select and tick the box for 'user must change
> >>> password at next logon' for any user in the container that
> >>> delegation
> >>> has been set up for. However once this has been selected and applied
> >>> that user cannot remove the tick form the tick box - same object.
> >>> You get an error - The following Active Directory error occurred:
> >>> Access is denied
> >>>
> >>> But there are no explicit denies for this user and the delegation
> >>> that has been set up. Plus if there was surely you would not be able
> >>> to tick the option in the first place.
> >>>
> >>> Anyone have experience with this sort of issue?
> >>>

>
>
>

Reply With Quote
  #6  
Old 21-05-2008
Jorge de Almeida Pinto [MVP - DS]
 
Posts: n/a
Re: Delegated account control is getting access denied

also see:
http://blogs.dirteam.com/blogs/jorge...r-objects.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"youngy99.at.hotmail.com" <youngy99athotmailcom@discussions.microsoft.com>
wrote in message news:1198EA84-9520-4DC5-B24B-1B48095C8C90@microsoft.com...
> Hi,
>
> The problem turned out to be that "Authenticated Users" did not have
> "Unexpire Password" and "Update Password Not Required Bit" (default
> setting)
> at the domain level. Both being applied to 'this object only'
>
> Issue solved!
>
> "Meinolf Weber" wrote:
>
>> Hello youngy99.at.hotmail.com,
>>
>> Open the properties from the OU where you have added the account, go to
>> Security
>> tab, advanced and check in the permissions window, that you can see your
>> account there. Please post all ALLOW fields only for this account with
>> the
>> following fields: Permission and Apply to.
>>
>> I have also an account created only for reset passwords and unlock
>> accounts
>> and in my test it works that the user can check and uncheck the 'user
>> must
>> change password at next logon' field. I have 4 ALLOW entries there for my
>> test account.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>> > Hi,
>> >
>> > I have used both the wizard - which simply applies those security
>> > settings. As well as manually set the allow options for the three
>> > settings already covered.
>> >
>> > I think the issue is deeper than use of the wizard.
>> >
>> > Cheers
>> >
>> > "Meinolf Weber" wrote:
>> >
>> >> Hello youngy99.at.hotmail.com,
>> >>
>> >> Did you use the delegate control wizard or set this by hand?
>> >>
>> >> Check out this one:
>> >> http://support.microsoft.com/kb/294952/en-us
>> >> Best regards
>> >>
>> >> Meinolf Weber
>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >> confers
>> >> no rights.
>> >> ** Please do NOT email, only reply to Newsgroups
>> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>> Hi everyone,
>> >>>
>> >>> I'll skip over some of the things I have tried. But basically the
>> >>> situation is this:
>> >>>
>> >>> I create a barnd new account and delegate these controls for the
>> >>> account specifically:-
>> >>>
>> >>> allow reset account
>> >>> allow read pwdLastSet
>> >>> allow write pwdLastSet
>> >>> Now that user can select and tick the box for 'user must change
>> >>> password at next logon' for any user in the container that
>> >>> delegation
>> >>> has been set up for. However once this has been selected and applied
>> >>> that user cannot remove the tick form the tick box - same object.
>> >>> You get an error - The following Active Directory error occurred:
>> >>> Access is denied
>> >>>
>> >>> But there are no explicit denies for this user and the delegation
>> >>> that has been set up. Plus if there was surely you would not be able
>> >>> to tick the option in the first place.
>> >>>
>> >>> Anyone have experience with this sort of issue?
>> >>>

>>
>>
>>


Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Delegated account control is getting access denied"
Thread Thread Starter Forum Replies Last Post
Stuck on a guest account, cannot access windows 7 admin account LavaStones Windows Software 1 11-02-2011 09:49 PM
Server Error 998: Access to the account was denied Aamani Networking & Security 6 19-08-2010 11:29 AM
"Access denied" error in a subfolder that the user has "full-control Justvicks Active Directory 1 19-10-2009 09:48 AM
Access Denied, Access Denied- like a broken record! Sam Vista Help 7 26-04-2008 10:24 AM
File server denied access by Domain Controller: Access is denied because of failure to authenticate Jim Windows Server Help 2 24-05-2007 09:46 AM


All times are GMT +5.5. The time now is 03:04 PM.