Trying to delegate permissions to a group on a OU; but cant find 2 properties in special permissions for "User Objects" they are "Read Lockout Time" and "Write Lockout Time" any reason i couldnt see them? I am using ADUC tool on a windows 7 machine with domain consisting of both windows 2003 R2 and Windows 2008 R2 domain controllers and i am a domain admin.
Asked
Active
Viewed 5,619 times
3
Darktux
- 827
- 5
- 20
- 36
-
1Are you looking at Property-specific permissions? – joeqwerty Nov 11 '13 at 22:25
-
Did my answer actually fix your issue, or did @joeqwerty's comment above point you in the right direction? – TheCleaner Nov 13 '13 at 15:57
1 Answers
3
Did you actually %windir%\System32\dssec.dat to allow you to see these in ADUC on the computer you are using to create the delegations? If you haven't changed the values from 7 to 0 then it won't show up in the GUI.
See here for details: http://www.expta.com/2008/09/how-to-delegate-right-to-unlock-user.html
TheCleaner
- 32,352
- 26
- 126
- 188
-
Interesting info, but I've never had to do that and I can see both attributes. ? – joeqwerty Nov 11 '13 at 22:40
-
@joeqwerty - I believe it is specific to the machine you are on. A 2008 machine doesn't even have this attribute listed in dssec.dat and you are right you can see it in the GUI of a 2008 server. I wonder if the OP's 7 machine he was trying this from didn't have it set right in dssec.dat? That was the only thing I could think of when he said he couldn't see it. I wonder if your comment is the right answer and he simply accepted mine? I'll post a comment and see, happy to delete my answer if your comment led him to making sure he checked the box. – TheCleaner Nov 13 '13 at 15:56
-
It couldnt see it when i did a Right click on OU and went to properties and security tab and looked at the permissions; but i found it when i used "Delegate Control " option when right clicking the OU and navigating to user objects properties. I didnt need to make any changes on the dssec.dat file. – Darktux Nov 13 '13 at 17:33