Delegated account control is getting access denied

Hi everyone,

I'll skip over some of the things I have tried. But basically the situation
is this:

I create a barnd new account and delegate these controls for the account
specifically:-

allow reset account
allow read pwdLastSet
allow write pwdLastSet

Now that user can select and tick the box for 'user must change password at
next logon' for any user in the container that delegation has been set up
for. However once this has been selected and applied that user cannot remove
the tick form the tick box - same object.

You get an error - The following Active Directory error occurred: Access is
denied

But there are no explicit denies for this user and the delegation that has
been set up. Plus if there was surely you would not be able to tick the
option in the first place.

Anyone have experience with this sort of issue?

Hello youngy99.at.hotmail.com,

Did you use the delegate control wizard or set this by hand?

Check out this one:
http://support.microsoft.com/kb/294952/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi everyone,
>
> I'll skip over some of the things I have tried. But basically the
> situation is this:
>
> I create a barnd new account and delegate these controls for the
> account specifically:-
>
> allow reset account
> allow read pwdLastSet
> allow write pwdLastSet
> Now that user can select and tick the box for 'user must change
> password at next logon' for any user in the container that delegation
> has been set up for. However once this has been selected and applied
> that user cannot remove the tick form the tick box - same object.
>
> You get an error - The following Active Directory error occurred:
> Access is denied
>
> But there are no explicit denies for this user and the delegation that
> has been set up. Plus if there was surely you would not be able to
> tick the option in the first place.
>
> Anyone have experience with this sort of issue?
>

Hi,

I have used both the wizard - which simply applies those security settings.
As well as manually set the allow options for the three settings already
covered.

I think the issue is deeper than use of the wizard.

Cheers

"Meinolf Weber" wrote:

> Hello youngy99.at.hotmail.com,
>
> Did you use the delegate control wizard or set this by hand?
>
> Check out this one:
> http://support.microsoft.com/kb/294952/en-us
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi everyone,
> >
> > I'll skip over some of the things I have tried. But basically the
> > situation is this:
> >
> > I create a barnd new account and delegate these controls for the
> > account specifically:-
> >
> > allow reset account
> > allow read pwdLastSet
> > allow write pwdLastSet
> > Now that user can select and tick the box for 'user must change
> > password at next logon' for any user in the container that delegation
> > has been set up for. However once this has been selected and applied
> > that user cannot remove the tick form the tick box - same object.
> >
> > You get an error - The following Active Directory error occurred:
> > Access is denied
> >
> > But there are no explicit denies for this user and the delegation that
> > has been set up. Plus if there was surely you would not be able to
> > tick the option in the first place.
> >
> > Anyone have experience with this sort of issue?
> >
>
>
>

Hello youngy99.at.hotmail.com,

Open the properties from the OU where you have added the account, go to Security
tab, advanced and check in the permissions window, that you can see your
account there. Please post all ALLOW fields only for this account with the
following fields: Permission and Apply to.

I have also an account created only for reset passwords and unlock accounts
and in my test it works that the user can check and uncheck the 'user must
change password at next logon' field. I have 4 ALLOW entries there for my
test account.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> I have used both the wizard - which simply applies those security
> settings. As well as manually set the allow options for the three
> settings already covered.
>
> I think the issue is deeper than use of the wizard.
>
> Cheers
>
> "Meinolf Weber" wrote:
>
>> Hello youngy99.at.hotmail.com,
>>
>> Did you use the delegate control wizard or set this by hand?
>>
>> Check out this one:
>> http://support.microsoft.com/kb/294952/en-us
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi everyone,
>>>
>>> I'll skip over some of the things I have tried. But basically the
>>> situation is this:
>>>
>>> I create a barnd new account and delegate these controls for the
>>> account specifically:-
>>>
>>> allow reset account
>>> allow read pwdLastSet
>>> allow write pwdLastSet
>>> Now that user can select and tick the box for 'user must change
>>> password at next logon' for any user in the container that
>>> delegation
>>> has been set up for. However once this has been selected and applied
>>> that user cannot remove the tick form the tick box - same object.
>>> You get an error - The following Active Directory error occurred:
>>> Access is denied
>>>
>>> But there are no explicit denies for this user and the delegation
>>> that has been set up. Plus if there was surely you would not be able
>>> to tick the option in the first place.
>>>
>>> Anyone have experience with this sort of issue?
>>>

Hi,

The problem turned out to be that "Authenticated Users" did not have
"Unexpire Password" and "Update Password Not Required Bit" (default setting)
at the domain level. Both being applied to 'this object only'

Issue solved!

"Meinolf Weber" wrote:

> Hello youngy99.at.hotmail.com,
>
> Open the properties from the OU where you have added the account, go to Security
> tab, advanced and check in the permissions window, that you can see your
> account there. Please post all ALLOW fields only for this account with the
> following fields: Permission and Apply to.
>
> I have also an account created only for reset passwords and unlock accounts
> and in my test it works that the user can check and uncheck the 'user must
> change password at next logon' field. I have 4 ALLOW entries there for my
> test account.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi,
> >
> > I have used both the wizard - which simply applies those security
> > settings. As well as manually set the allow options for the three
> > settings already covered.
> >
> > I think the issue is deeper than use of the wizard.
> >
> > Cheers
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello youngy99.at.hotmail.com,
> >>
> >> Did you use the delegate control wizard or set this by hand?
> >>
> >> Check out this one:
> >> http://support.microsoft.com/kb/294952/en-us
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi everyone,
> >>>
> >>> I'll skip over some of the things I have tried. But basically the
> >>> situation is this:
> >>>
> >>> I create a barnd new account and delegate these controls for the
> >>> account specifically:-
> >>>
> >>> allow reset account
> >>> allow read pwdLastSet
> >>> allow write pwdLastSet
> >>> Now that user can select and tick the box for 'user must change
> >>> password at next logon' for any user in the container that
> >>> delegation
> >>> has been set up for. However once this has been selected and applied
> >>> that user cannot remove the tick form the tick box - same object.
> >>> You get an error - The following Active Directory error occurred:
> >>> Access is denied
> >>>
> >>> But there are no explicit denies for this user and the delegation
> >>> that has been set up. Plus if there was surely you would not be able
> >>> to tick the option in the first place.
> >>>
> >>> Anyone have experience with this sort of issue?
> >>>
>
>
>

also see:
http://blogs.dirteam.com/blogs/jorge...r-objects.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"youngy99.at.hotmail.com" <youngy99athotmailcom@discussions.microsoft.com>
wrote in message news:1198EA84-9520-4DC5-B24B-1B48095C8C90@microsoft.com...
> Hi,
>
> The problem turned out to be that "Authenticated Users" did not have
> "Unexpire Password" and "Update Password Not Required Bit" (default
> setting)
> at the domain level. Both being applied to 'this object only'
>
> Issue solved!
>
> "Meinolf Weber" wrote:
>
>> Hello youngy99.at.hotmail.com,
>>
>> Open the properties from the OU where you have added the account, go to
>> Security
>> tab, advanced and check in the permissions window, that you can see your
>> account there. Please post all ALLOW fields only for this account with
>> the
>> following fields: Permission and Apply to.
>>
>> I have also an account created only for reset passwords and unlock
>> accounts
>> and in my test it works that the user can check and uncheck the 'user
>> must
>> change password at next logon' field. I have 4 ALLOW entries there for my
>> test account.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>> > Hi,
>> >
>> > I have used both the wizard - which simply applies those security
>> > settings. As well as manually set the allow options for the three
>> > settings already covered.
>> >
>> > I think the issue is deeper than use of the wizard.
>> >
>> > Cheers
>> >
>> > "Meinolf Weber" wrote:
>> >
>> >> Hello youngy99.at.hotmail.com,
>> >>
>> >> Did you use the delegate control wizard or set this by hand?
>> >>
>> >> Check out this one:
>> >> http://support.microsoft.com/kb/294952/en-us
>> >> Best regards
>> >>
>> >> Meinolf Weber
>> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> >> confers
>> >> no rights.
>> >> ** Please do NOT email, only reply to Newsgroups
>> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >>> Hi everyone,
>> >>>
>> >>> I'll skip over some of the things I have tried. But basically the
>> >>> situation is this:
>> >>>
>> >>> I create a barnd new account and delegate these controls for the
>> >>> account specifically:-
>> >>>
>> >>> allow reset account
>> >>> allow read pwdLastSet
>> >>> allow write pwdLastSet
>> >>> Now that user can select and tick the box for 'user must change
>> >>> password at next logon' for any user in the container that
>> >>> delegation
>> >>> has been set up for. However once this has been selected and applied
>> >>> that user cannot remove the tick form the tick box - same object.
>> >>> You get an error - The following Active Directory error occurred:
>> >>> Access is denied
>> >>>
>> >>> But there are no explicit denies for this user and the delegation
>> >>> that has been set up. Plus if there was surely you would not be able
>> >>> to tick the option in the first place.
>> >>>
>> >>> Anyone have experience with this sort of issue?
>> >>>
>>
>>
>>