2003 Server Client/Delegation and Data Issues

Discussion in 'Active Directory' started by Diane, Aug 10, 2009.

  1. Diane

    Diane Guest

    Hi Ace,

    The test account has the same issue as the junior admin. The lockout is
    grayed out. The AD information is up to date - I could view the account I
    had just created, and all else looked fine. Good test - it appears it's not
    the group, so I guess we're left with something denying all users, or
    something on the win23k server? I could not get the old win2k box on line
    due to other commitment. I will still go for that. If it's works, that
    would eliminate the denying all users possibility and leave the win23k
    server. If you have other ideas about what I can look at, I would be
    grateful.

    Thank you!

    Diane
     
    Diane, Aug 21, 2009
    #21
    1. Advertisements


  2. So it's not the group. Interesting. Was anything denied in AD for Auth Users
    or by groups, perhaps as a security precaution?

    To test if it is the 2003 server or not, try it from a desktop, with that
    DLL and regsrv32 procedure I mentioned. If it works on the desktop, and not
    on the 2003 server, then you know it's the server. If it doesn't work on the
    desktop, then you may be a denial in AD somewhere that someone previously
    put in. I rememver something similar at one place I worked as an Exchange
    consultant. The AD guy placed a denial on something, but he wouldn't tell us
    what it was (security - hush hush sort of thing - he was like that). I only
    had Exchange rights, but not to AD, so we never did figure it out.

    Ace
     
    Ace Fekay [MCT], Aug 21, 2009
    #22
    1. Advertisements

  3. Diane

    Diane Guest

    Hi Ace - I only had time for a quick look at other possible "denials" and did
    not see any. I will look again more carefully over the weekend. For the
    DLL/regsvr32 process, I could not locate all win2000 DC DLLs last time, and
    could not register the one I found. Should I try the new account with the
    Win2003 admin kit instead?

    Thank you!
     
    Diane, Aug 22, 2009
    #23
  4. Yes, give it a shot. At this time, the more you experiment, at least it's a
    learning phase that will help you moving forward. I'm sure you've
    accumulated some helpful knowledge from this so far!

    Ace
     
    Ace Fekay [MCT], Aug 22, 2009
    #24
  5. Diane

    Diane Guest

    Hello Again Ace,

    Well, this is getting more interesting (yes, and learning along the way!).
    The new test account does not work on an XP or win2k server (the one I had
    that I brought back on-line). Same scenario - the lockout box is grayed out.
    I looked at the users/authenticated users account - there are no express
    denials, and a number of "read" allow options. In the Builtin/Users folder,
    authenticated users, domain users, interactive, and a sqlagentexec are listed
    as members. I noticed when I look at the security/advanced for users, the
    domain users are not listed. Is that normal?? It seems odd to me that the
    domain users are a member of this group, but one thing I surely know at this
    point is that I know about 1% of this subject. I guess I am suspecting it,
    because the only group the test account is a member of is this group. If
    there is any other data I can give you, please let me know. I am at a loss
    of where to look next. Thank you for hanging in with me on this.

    Diane
     
    Diane, Aug 24, 2009
    #25
  6. HI Diane,

    I don't have a lab setup or classroom setup to put this all together, but
    IIRC, Domain Users wouldn't be in the list, rather Auth Users should have
    Read. That should be the default in the whole forest.

    What exactly did you delegate? Which objects did you delegate to?

    Ok, another question, is the account actually locked out that you're looking
    at? If the account is not locked out, then the Account Lockout checkbox will
    be grayed out. You can't lock an account in here, there is no such
    provision. When an account gets locked out due to multiple failed attempts,
    then the lockout checkbox will no longer be grayed out so you can uncheck
    it.

    Ace
     
    Ace Fekay [MCT], Aug 25, 2009
    #26
  7. Diane

    Diane Guest

    Hi Ace,

    Thanks for your questions. On the DC, I first went through the process to
    "reveal" the read and write lockout time permissions. I had a security group
    for the intended junior admins, so I then went to an OU containing the user
    accounts for the domain. I then selected the delegate control option, named
    the junior admin group, created a custom task to delegate control only to
    user objects, selected the read and write lockout capability, selected
    property specific permissions and chose the read and write lockout time
    permissions. Do I need to add the junior admin group as a group (or anywhere
    else) on the local system? I can't remember right now if I did or did not
    add it. I know I gave them remote access permissions.

    I understand the "grayed out" lockout scenario. I have an account that I
    lock out before checking the AD. I can see the check mark in the grayed out
    box.

    Questions are good - it's easy to become blindsided after looking at the
    same thing over and over. I am certainly wondering if this is something
    simple I am just plain missing. Do I understand correctly, that you are
    thinking the domain user group should not be in the builtin/users folder?
    What would be the impact of removing it? - don't want to cause havoc
    elsewhere. I did see some research that stated the auth users was there by
    default - no mention of domain users.

    Thank you once more,

    Diane
     
    Diane, Aug 25, 2009
    #27
  8. As long as the junior admins can logon locally, logon interactively and
    remotely, no, I don't see it needed otherwise.
    That's where it is by default. Where is it now?
    I'm not sure if moving it from the default location (the Users container in
    AD) would cause a problem, unless it's been moved to an OU where a GPO is
    restricting it some how. I haven't heard of anyone moving any of the default
    groups out of the default containers, so I don't have an answer.
    No, it should just be Auth Users, not Domain Users.
    You are welcome. Apparently something was changed at one time or another
    that's causing this, unless I'm totally overseeing something obvious that is
    not sticking out.

    Ace
     
    Ace Fekay [MCT], Aug 25, 2009
    #28

  9. Diane,

    Curious, on an account that the jr admin is looking at with the grayed out
    lockout checbox, look at that user account's properties, security tab. Does
    the jr admin account or group, have the permissions that you delegated at
    the OU level, or is it different? If different, and you force inheritance
    from the parent onto the user account properties, does it show? If so, have
    the jr admin now check the user account properties to see if it's still
    grayed out.

    What I'm getting at, and I know you're going to ask, is to see if there's an
    issue going on by the AdminSDHolder. Read the following to understand what
    I'm talking about, and what I think may be going on.

    AdminSDHolder, Protected Groups and SDPROP
    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    AdminSDHolder
    http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

    Script to set/clear INHERITANCE flag on AD objects
    http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx


    Ace
     
    Ace Fekay [MCT], Aug 26, 2009
    #29
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.