Delegation wizard

[KaiserVunderBar]

Hello
Can somebody correct me if I am wrong but, when you delegate control to a
user for an OU that user cannot modify any of their properties? I have
delegated control and the user cannot modify their own logon script yet the
user can modify anybody elses in the same OU. Any ideas??

 

[Herb Martin]

No reason not to be able to modify their own properties.

Do notice that a user doesn't have to be IN the OU to be
delegated control of it.

 

[KaiserVunderBar]

The user in question is in the OU, believe me I'm perplexed. Even if I give
FC on security for the OU and FC for the GPO still cannot modify profile tab
properties

 

[Herb Martin]

The GPO permissions are unrelated (although you might want that for other
reasons)
to the actual permissions on the user objects.

Are you "propagating" those permissions when you change the OU?

Just like in the file system, changes to a "parent container" (directory
or OU) have NO EFFECT one a child object (e.g., file or user)
unless you choose to propagate.

Since propagate is the default with some tools, many people are
unaware of this simple permission rule.

Permissions on the PARENT OBJECT are UNRELATED to
permissions on the CHILD object -- except through historical
accident.