2003 Server Client/Delegation and Data Issues

Discussion in 'Active Directory' started by Diane, Aug 10, 2009.

  1. Diane

    Diane Guest

    Windows 2000 DC, Win2003/sp2 member server with Adminpak for Windows Server
    2003 sp2

    I have been going 2 steps back and 3 forward on this, but now I seem to be
    just going backwards. I have concluded that since I'm new to all this, I'm
    may be missing some basic understanding of how this is suppose to work.

    I want to delegate the ability to unlock user accounts to 3 non-technical
    users in a firm. I have a global security group for the 3 users. On the OU
    that I want these folks to be able to manage, I have delegated permissions to
    the group (read/write lockout). I checked the security/advanced tab and they
    appear to be assigned correctly.

    The issue is on the Win2003 server. The goal is for them to be able to log
    into the server with their own user accounts to access a very limited
    console. However, after installing the adminpak for Winserver 2003/sp2, just
    the admin tools, I noticed that in the administrator account the data in the
    console is not up to date. For example, it shows an account as locked out,
    when on the DC it is not (it had been at some point, but was unlocked).
    Also, when I log in as one of the delegates, the unlock is grayed out and
    also shows the same incorrect data as the admin account. I had this working
    for just one of delegates - then they wanted to add more people. After I
    created the group and went to recreate my steps, nothing worked. I have run
    dsrevoke on the DC and permissions appeared correct to me. I have also
    installed and uninstalled the console, rebooted, etc. to no avail. I have no
    idea what to try next and would greatly appreciate guidance to get me going
    forward again.

    Thank you,
    Diane, Aug 10, 2009
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Aug 11, 2009
    1. Advertisements

  3. Diane

    Jorge Silva Guest

    Please have a look at this link to help you with that task:

    The fact that you see "incorrect data" when using the mmc tools may be
    caused by the fact the replication didn't occured yet, or it's failling.
    Check if your replication is working properly. You may yse this link to help
    you with that task:

    I hope that the information above helps you.
    Have a Nice day.

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Jorge Silva
    MVP Directory Services
    Jorge Silva, Aug 11, 2009
  4. Is there a reason you have them logging into a seperate machine to manage
    these accounts? They should be able to be controlled from their own

    I think Jorge's blog on this could help you out:

    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009


    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
    Paul Bergson [MVP-DS], Aug 11, 2009
  5. Diane

    Diane Guest

    Hello Meinholf,

    This is a small site, only 2 Win2K DCs. Thank you for the reference
    article. I am familiar with it and used it initially to set up delegation.

    Diane, Aug 11, 2009
  6. Diane

    Diane Guest

    Thank you Jorge. I also suspect replication. I will take a look at these
    articles and see if I can find something that is causing the issue in this
    area. I keep everyone posted on what I find.

    Diane, Aug 11, 2009
  7. Diane

    Diane Guest

    Thank you Paul. I will go through Jorge's blog plus the links he sent. I
    agree with you re: the desktops. I tested the adminpak on an xp pro/sp3
    desktop and ran into MMC conflicts with sp3. I had to remove it to enable
    mmc to work. I plan to try again, however, these same folks also need the
    ability to unlock the backup autoloader (when necessary) to change tapes
    which is on the same server. For the time being, I thought I would
    centralize their access.

    Diane, Aug 11, 2009
  8. Diane

    Diane Guest

    Hello again,

    I realized I did not completely answer your question. Both DCs are in the
    same site - the AD is less then 100 users. The "incorrect" console data
    has been present for over 24 hrs, leading me to suspect replication as Jorge

    Thanks Again,

    Diane, Aug 11, 2009
  9. Different Jorge :)

    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009


    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
    Paul Bergson [MVP-DS], Aug 11, 2009
  10. Diane

    Diane Guest

    Thanks Paul.

    As an update to all, I have checked the replication between the 2 DCs and
    all looks fine to my eye. No errors in the replication logs, both have
    updated AD data, and the replication monitor reports they have both received
    successful updates recently.

    Since my last post, I also -
    - Went through all the services on the Win23K server to look for a unstarted
    services that may be needed, but nothing jumped out.
    - Checked the delegation permissions on the OU containing the admin group
    amd its members. It showed the read/write property as not inherited, and
    applying to user objects.

    In thinking further about this, how does a member server interact with the
    DC to get/receive updates and present data in the admin console? As I
    understand it, it is not part of the DC replication activity.

    - Is there some service or other function I need to check that makes this
    happen? -- Also, does the group with delegation permissions need to be a
    local group on the server??
    - What is the best way to check the delegation permissions at the user level?

    One other thought I had was I have not extended the DC schema in any way for
    Win23K, my understanding is that is not necessary unless we have Win23K DCs -

    The console itself appears to be working fine, meaning snap-ins can be
    added, etc. Is it worth it to try to reinstall again - does that "trigger" a
    data refresh? I did reinstall already and it did not change the issue.

    I am sorry for so many questions, and appreciate everyone's help and guidance.

    Diane, Aug 11, 2009
  11. Hello Diane,

    You are correct, for member servers use of 2003 no schema upgrade is needed,
    only for adding 2003 DCs. If you check the user account properties on the
    DC and they are shown correct and you connect form the 2003 AD UC to that
    DC there is still a difference? Did you also use F5 to update the AD UC console
    on the 2003, changes require a manual update?

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Aug 11, 2009

  12. Just for a test, laughs and giggles (using the phrase loosely), read my blog
    on this. I have a feeling that the DLLs are a bit different if the Schema
    has not been extended, meaning you are using a 2003 server's adminpak that
    may be querying attributes that do not exist in 2000 without extending the
    Schema. Just a hunch. Anyway, read the following, and the part that refers
    to the DLLs to copy over, use the 2000's DLLs and not the 2003 DLLs, and see
    if it works on an XP test machine. Keep in mind, do not install the
    adminpack, just the DLLs and register them. Let us know how you make out.

    Create a custom ADUC MMC

    After you Delegate Permissions in to a limited admin in Active Directory,
    such as the ability to reset passwords, you may want to create a custom ADUC

    (console or custom taskpad) for the delegated admin to control the portion
    of AD they are allowed in.
    By Ace Fekay
    Last updated - 2/2006

    The last ones I created for one customer, which involved a snapin for each
    'location' OU, I allowed to retain the rt-click context, and the tree view
    available in the custom console (left pane and right pane), but I removed
    everything else including the file menu buttons and such. So under View,
    Customize, uncheck everything except the top one that says Console Tree.
    This way they can't go up level or click any of the things in there. But
    they will have the rt-click feature.

    You can also choose to remove the left hand pane (tree view).

    MMC 2 and 3 are the same:

    Start/run/mmc, hit enter
    File, Add-Remove Snap-in, Add ADUC
    Drill down under the domain to the OU you want.
    Rt-click on that OU, choose new window from here.
    A new window pops up with the OU in the left pane and the contents in the
    right pane.
    Close the original ADUC window leaving the new window open that you've just
    Expand the window to take up the whole console.
    Now they will not be able to go up levels and are 'stuck' in this OU.
    Uncheck everything but Console Tree.
    File/Options Choose Console Mode:
    User mode: Limited Accessm single window
    Check: Do not Save Changes to this console
    Uncheck: Allow the user to customize views
    Save it. Logon as a test user delegated whatever perms to do on those users
    and test it.

    If you want to eliminate the rt-clicking on a user account, uncheck the
    Console Tree above and change the console view by rt-clicking on the OU,
    choose New Task View, and choose a vertical or horizontal list, then choose
    to create a new task, menu command, highlight a user account, choose reset
    pasword, or anything else in the right column, choose an icon, and finish.

    Copy the MSC file via a UNC connected to the delegated person's
    workstation's Doc and Setttings\username\desktop folder.

    Then copy over the following three DLLS from the 2003 DC you are on, to
    their XP system32 folder. All three of these are needed on a 2003 DC or the
    ADUC won't open. However, on an XP machine, you only need two. If I were to
    allow users to change passwords and create a custom MMC for just that OU,
    then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.

    adprop.dll (for object properties)
    dsadmin.dll (ability to alter object properties)
    dsprop.dll (for object properties related to directory services)

    Then you can use PSEXEC (one of the PSTools available free from Microsoft's
    site) to remotely regsrv32 the DLLS on their machines.
    psexec \\machinename regsvr32 adprop.dll
    psexec \\machinename regsvr32 dsadmin.dll
    psexec \\machinename regsvr32 dsprop.dll


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
    Ace Fekay [MCT], Aug 12, 2009
  13. Diane

    Diane Guest

    Hi Ace,

    Thanks for the idea. Laughs and giggles are welcome about now! I should be
    able to try this out tomorrow when I can get access to a test XP system. I
    have refreshed the view per Meinhoff's suggestion, but no change. I have
    checked the read/write lockout permission on the 2003 console by going
    through a delegation process. They are present to be assigned. I did not
    assign them again from here, just wanted to see if they showed up. What is
    the best way to tell if the proper permissions are applied to each admin user?

    I'll get back to you when I have some results.

    Thanks again,

    Diane, Aug 13, 2009
  14. By looking at the user or group permissions assigned in the ACL of the OU's
    security tab. You can also click on Advanced, Effective Permissions tab, and
    add the user or group and see what their effective permissions are.

    Also, earlier there was a hint at replication issues. Not sure if this
    applies, but it may be a concern for DNS config issues, whch will affect
    refreshing or viewing data. How many DCs do you have? Can you post an
    ipconfig /all of two of the DCs and the server the junior admins are using,
    to allow us to eliminate this possibility.

    We'll try to get you to the laughs and giggles stage... :)

    Ace Fekay [MCT], Aug 13, 2009
  15. Diane

    Diane Guest

    Hi Ace,

    Here's an update -

    The Win2K DC's did not have an adprop.dll - checked them both. All I found
    was a help file. The dsadmin.dll that I moved to my XP test system from DC1
    would not register. The error was "the specific procedure could not be
    found" on the Load Library step.
    My research indicated it might be because the .dll is too old. The version
    is 5.00.2195.6662 from 6/19/2003 so it's an oldie. I checked the win23k
    server, it had both DLL's - version # 5.2.3790.3959. The permissions for the
    junior admins show correctly on the DCs and in the console on win23k even
    though they don't seem to work.

    I have not seen any DNS errors logged, but it's always good to check.
    The DNS settings are as follows:

    Windows IP Configuration

    Win23K Server:

    Host Name . . . . . . . . . . . . : cmacas1

    Primary Dns Suffix . . . . . . . : craig.com

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : craig.com

    Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - Onboard:

    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

    Physical Address. . . . . . . . . : 00-C0-9F-42-93-21

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . :

    Subnet Mask . . . . . . . . . . . :

    Default Gateway . . . . . . . . . :

    DNS Servers . . . . . . . . . . . :

    DC1 (Global Catalog):
    Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : cmacms1
    Primary DNS Suffix . . . . . . . : craig.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : craig.com

    Ethernet adapter Intel 82544GC Based Network Connection -
    onboard: Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
    Physical Address. . . . . . . . . : 00-0D-56-FD-22-A6
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :


    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : cmacbdc
    Primary DNS Suffix . . . . . . . : craig.com
    Node Type . . . . . . . . . . . . : Broadcast

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No

    DNS Suffix Search List. . . . . . : craig.com

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
    Physical Address. . . . . . . . . : 00-D0-B7-E8-0A-E6

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . :

    Subnet Mask . . . . . . . . . . . :

    Default Gateway . . . . . . . . . :

    DNS Servers . . . . . . . . . . . :

    I hope this helps uncover some problem!

    Thanks very much for your time and interest.

    Diane, Aug 13, 2009
  16. Hi Diane,

    Your configs actually look fine! Good job!

    The only recommendation I would make is for cmacbdc to point to itself
    first, then the other one as second. Other than that, they look great.

    Also make both DCs a GC, if this is one domain.

    So it's not a DNS issue. I assume no errors in the event logs.

    Then it *may* just be a Schema difference. That's the only thing I can think
    of. I haven't come across such a thing yet, nor do I have a test environment
    like this to test. The only other thing I can suggest is if there is another
    2000 server (not a DC) that you can test it with that has the 2000 versions.

    Ace Fekay [MCT], Aug 14, 2009
  17. Diane

    Diane Guest

    Hi Ace,

    Thanks for checking the DNS settings - good news there! I will make the
    second DC a GC, it is one domain - should have done that before, so thank you
    for the reminder.

    I decided to test another win2003/R2 member server - same issue! I'm
    kicking myself for not looking at this earlier. So, the *potential* for a
    schema difference is looking stronger. I do have another win2k server which
    has been taken offline. I'll get it back online for a test, though it may
    take a day or two to arrange it. It's pretty clear the win2K AD is old
    because of the product age. I am wondering though, what is the update
    process for AD within an OS version? I do not think I have seen an update
    via the "normal" channels for AD. If it is the schema, are there any updates
    I could "safely" apply to the win2k DCs at this point to help this situation?

    Thanks very much again. I'll report back when I have more news.

    Diane, Aug 14, 2009
  18. You can just update the Schema to the 2003 R2 version by running from the
    2003 CD or from one of the 2003 machines (logged on as EA, of course):
    adprep /forestprep
    adprep /domainprep

    If you get any errors, such as if you have Exchange 2000 installed, we'll
    address that as we go along.

    Ace Fekay [MCT], Aug 14, 2009
  19. Diane

    Diane Guest

    Hello again Ace -

    I'm sorry I have not been in touch for a few days. I got redirected to a
    user with a huge data load for an application. That is under control, so I
    am back looking at AD.

    A few updates - The win2003 server is now showing the proper AD data. I
    really don't know what caused this change, but it is for the better. The
    junior admin still cannot unlock - the last issue. As I learn my way around
    AD, I am starting to suspect a permissions conflict as I have poked around
    further into the various groups this user is a member of. This may be a
    case of a little knowledge being dangerous as I can clearly see there is a
    ton to learn here - if you can bear with me, this is what I observed.

    The jr admin is a member of the Remote Desktop Users group at the domain
    level which has no AD permissions. On the win23k server, there is also a
    local Remote Desktop Users group. I added the junior admin group to the
    local Remote Desktop to give them terminal services access. That works fine.
    Logging on as the administrator on the win23k server, I can look at the jr
    admin and see she has the read/write lockout capability as a member of the jr
    admins group (properties/advanced/effective permissions). When I look at her
    remote desktop group effective permissions, that permission does not exist.
    I did some research on permission precedence and my head is now spinning. I
    saw that precedence started with the local system and worked up to the
    domain. I know there are also various places where I can allow inheritance.
    If you think this is a reasonable source of the problem, could you please jot
    down what needs to be set where for inheritance and permissions on the domain
    and local system? I also noted a few entries with account unknown with a red
    question mark. My "keep things clean" attitude really wants to delete them,
    but I could not find a good description of why they occur and if it's OK to
    just delete them. I would very much appreciate it if you could point me to a
    resource, or help me understand their source.

    Thank you very much for your continuing help and support.
    Diane, Aug 19, 2009
  20. Ok, it seems like permissions may be the issue.

    As a test, create a plane old Domain User account. Don't add it to the
    Remote Desktop group. Delegate the account to the OU with the same tasks as
    you did the other one that's not working. On a test desktop, follow the
    procedure I previously posted about just adding the ADUC to the machine,
    that is if the adminpak has not been installed yet, if it is, no problem.
    Open ADUC console, and test it.

    If it works, that's good.

    Then remove the account from the OU's Security tab. Then add the test
    account to the Jr Admin Group, and log out the account, then log back in,
    and test it again. If it works, then it's something on the Windows 2003
    server causing it. If it doesn't work, then something's denying that group.

    As for permissions guidelines, as long as she has permissions by being in
    the Jr Admin Group, and not denied in any other group, whether the group has
    the permissions or not, she will have the permissions in AD because
    permissions are accumulative, meaning the account gets all permissions in
    all the groups that it's been added.

    I hope that helps.

    Ace Fekay [MCT], Aug 20, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.