I installed AD LDS on a W2012R2. Everything is working fine. Now, I want to create new Roles, to grant to groups permissions to create/modify/delete users in a certain container. (I used this article)
For example, this is my instance :
OU=extra,DC=domain,DC=local
|--CN=LostAndFound
|--CN=Roles
|--|----CN=Administrators (Created by default)
|--|----CN=Readers (Created by default)
|--|----CN=Users (Created by default)
|--|----CN=AdminGroupCustomer1 (Created by myself)
|--OU=Users (Created by default, I just chose the name and type)
|--|----CN=Customer1
|--|----|--CN=Users
|--|----|--|--CN=user1
|--|----|--CN=Groups
|--|----|--|--CN=group1
|--|----|--CN=Administrators
|--|----|--|--CN=Admin1
|--|----CN=Customer2
|--|------| ...
I want to permit to AdminGroupCustomer1 group the permissions to modify anything in OU=Customer1, but nothing on Customer2.
So this is what I did :
1°) Add AdminCustomer1 (which is a AD user in fact ), to AdminGroupCustomer1 group. OK
2°) Add AdminGroupCustomer1 (which is the Group role) to Readers group role. OK (Is that really needed ? ... I don't think so).
3°) Execute the following DSACLS.EXE command to grant permission on Customer1's container to AdminGroupCustomer1 group:
dsacls.exe "\\server:port\CN=Customer1,OU=Users,OU=extra,DC=domain,DC=local" /I:T /G "CN=AdminGroupCustomer1,CN=Roles,OU=extra,DC=domain,DC=local:GW"
Where /I:T is here to apply rights to objects and sub-objects. And /G is for GRANT rights. GW is Generic Write permissions.
But I'm still not able to modify user1's password while connected to the instance with an AD users that is member of AdminGroupCustomer1. I tried : WP = Write Property and WD = Write Security Change with no success, so I don't really understand.
Permissions informations can be found in the following technet article.
Did I miss something ?
Should I need to set Write permission on specifics properties I need to modify ? for example, set WP on password property to be able to reset/change user's password ?
Edit : Should I move this question to SuperUser ?
