Questions tagged [delegation]

137 questions
11
votes
2 answers

How can I determine what permissions my user is missing for receiving a ZFS dataset?

I have a FreeNAS (11.1-U1) and a FreeBSD (11.1-RELEASE-p6) machine. On the FreeNAS I'd like to zfs receive recursive snapshots as a non-root user with delegated privileges. This appears to work well for most of the child-datasets. But iocage's data…
sloh
  • 161
  • 8
10
votes
1 answer

NS records chicken and egg: NS in the domain it's serving

I've dealt with BIND for years and this has always kind of bugged me. $ dig google.com ns ;; QUESTION SECTION: ;google.com. IN NS ;; ANSWER SECTION: google.com. 87046 IN NS ns3.google.com. etc... ;; ADDITIONAL…
8
votes
2 answers

Risks of Kerberos Delegation

I've been spending hours upon hours trying to learn and understand Windows Authentication, Kerberos, SPNs, and Constrained Delegation in IIS 7.5. One thing I just don't get is why it is "risky" to leave delegation enabled (i.e. not disable…
8
votes
2 answers

Is there a way to get Kerberos credentials to delegate twice? Why not?

All my nerdly life, I've dealt with this limitation of Windows Domains Login - console Integrated auth to something (usually web app) My credentials can't move to another server (e.g. database or file system). They have to trust machine 2. Is…
Precipitous
  • 319
  • 3
  • 9
7
votes
1 answer

In Active Directory, how do I delegate write permissions on specific attributes of protected user accounts?

We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone's phone number or manager or location changes,…
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
6
votes
2 answers

Active Directory Permissions: Delete vs Move

I want our help desk to be able to move user accounts but NOT delete them. Here is the summary of our current permissions set on the affected OU's (this DOES allow them to delete user accounts): Allow - Full Control - Descendant User objects Allow…
Fëanor
  • 113
  • 1
  • 2
  • 5
5
votes
1 answer

Is there an easy way to set up Active Directory Constrained Delegation for all Domain Controllers

We've worked through configuring AD constrained delegation for a service account in our domain, and we've gotten everything to work in principle. However, to do so we had to set up LDAP delegation to specific domain controllers. The downside of that…
Abs
  • 320
  • 3
  • 8
5
votes
3 answers

Delegating account unlock rights in AD

I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the…
ewall
  • 1,054
  • 3
  • 13
  • 23
5
votes
4 answers

What to do with user mailboxes in Exchange 2003 after they leave organization?

Over the ages we've accumulated mailboxes of users who have since left the company. Due to concerns at the time (they have important stuff in the mailboxes, we need to get to it) the SOP was to leave the account ACTIVE and change the password to…
Matt Rogish
  • 1,512
  • 6
  • 25
  • 41
5
votes
1 answer

Different ACLs on two OU's with same "protect object from deletion" setting

Background After I configured our Active Directory so that the ability to move computers was delegated to helpdesk staff, I started hearing reports that computers would get "stuck" in specific OU's. They can move a computer in, but get an "access…
Nic
  • 13,025
  • 16
  • 59
  • 102
5
votes
1 answer

DNS referral / delegation: which DNS is responsible; How to delegate the right way?

Introduction I bought the domain earechnung.at with Hetzner and am using my webspace at All-Inkl. I want to use the nameservers of my webhost (All-Inkl). Zonefiles and Nameservers As I registered the domain with Hetzner, nic.at (the austrian domain…
5
votes
2 answers

Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers

I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System Log, and several logs in "Application and Services…
5
votes
1 answer

Services Accounts

We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable. I am looking to change this as soon as possible but am fairly new to AD permissions. The main use of the service…
user35213
5
votes
5 answers

IIS Strategies for Accessing Secured Network Resources

Problem: A user connects to a service on a machine, such as an IIS web site or a SQL Server database. The site or the database need to gain access to network resources such as file shares (the most common) or a database on a different server.…
ErikE
  • 301
  • 3
  • 11
4
votes
1 answer

Suggestions For IT Staff Delegation

looking for some suggestions or tips on how to setup our IT admins with delegation and server access. I started at a new organization and saw that every IT staff member is a domain admin. Looks like that allowed everyone to do what they needed to…
1
2 3
9 10