Delegation of control not working

  • Thread starter Thread starter Stevo
  • Start date Start date
S

Stevo

I have run the delegation of control wizard at the
root domain object and set the parameters in hopes of
having a group of people to only be able to change
passwords on any and all ou's in the structure. All seems
to go well with no errors but when I log back in as one
of the people restricted in the group and run the active
directory users and computers snap in I am still able to
add users, create ou's etc. Any ideas as to why this
policy may not be applying to the entire directory?

Thanks in advance,

Stevo
 
Stevo said:
I have run the delegation of control wizard at the
root domain object and set the parameters in hopes of
having a group of people to only be able to change
passwords on any and all ou's in the structure. All seems
to go well with no errors but when I log back in as one
of the people restricted in the group and run the active
directory users and computers snap in I am still able to
add users, create ou's etc. Any ideas as to why this
policy may not be applying to the entire directory?
Click to expand...

Maybe you have a typo above but what you describe sounds
perfectly normal: Delegation of Control does NOT remove or
restrict delegation, it merely GRANTS (new) delegation.

You can't take away power with Delegation Wizard -- only give it.
 
Hello Stevo.

It sounds like the users are members of the administrators group--they have
full rights throughout the entire domain. Delegation is only useful when
users without administrative access need to have only a few specific rights,
such as changing password or creating users in a single OU.

Please detemine if you need to remove the users from an administrative
group, and then try the delegation again.

Best Regards,
David Fisher
Enterprise Platform Support
 
How do I remove or revoke delegation?
Maybe you have a typo above but what you describe sounds
perfectly normal: Delegation of Control does NOT remove or
restrict delegation, it merely GRANTS (new) delegation.

You can't take away power with Delegation Wizard -- only give it.
Click to expand...
 
You can't take away power with Delegation Wizard -- only give it.

With the direct "security tab" (permissions) one each AD object or for
a container through inheritance, propagation, and even reset (similar to
directory/file permissions.)

Right click on any object and select the Security tab (you will need to have
Menu: View\Advanced selected to see this tab.)
 
Back
Top