Delegated Permissions no longer applied after sometime, please help?

Question

Delegated Permissions no longer applied after sometime, please help?

Mart 6

I've been trying to find a solution for sometime now but haven't been able to, I delegated some permissions to user and it does work for time. User is able to login to the server and able to perform the tasks, but after sometime (days), the user will lose its ability to perform the delegated tasks. The options becomes grayed out. I have to remove the user account from the group or user names list under the security tab of the OU and go over the Delegate control wizard to reapply permissions. Any suggestions would high be appreciated.

Gary Reynolds 9,621 Reputation points

2023-06-10T00:13:57.1066667+00:00

Can you provide some additional information on what task you have delegated and what tools the options is greyed in?

Gary.
Mart 6 Reputation points

2023-06-10T01:06:12.3266667+00:00

Hi Gary, the task that were delegated are Create, delete and manage user accounts and Reset user passwords and force password change at the next logon. Practically the first two options under the Delegate the following common tasks window under the Delegation of Control Wizard. I then delegate Unlock Account Right using the same wizard, but I select the option to create a custom task to delegate for this one. Not sure if both process are causing a conflict. At the end the user is unable to carry none of the tasks since all is grayed out. see attached image.

1 answer

Your answer

Gary Reynolds 9,621 Reputation points

2023-06-10T00:13:57.1066667+00:00

Can you provide some additional information on what task you have delegated and what tools the options is greyed in?

Gary.
Mart 6 Reputation points

2023-06-10T01:06:12.3266667+00:00

Hi Gary, the task that were delegated are Create, delete and manage user accounts and Reset user passwords and force password change at the next logon. Practically the first two options under the Delegate the following common tasks window under the Delegation of Control Wizard. I then delegate Unlock Account Right using the same wizard, but I select the option to create a custom task to delegate for this one. Not sure if both process are causing a conflict. At the end the user is unable to carry none of the tasks since all is grayed out. see attached image.

Answer 1

Hi Mart,

Running the delegation wizard multiple times will not affect the existing permissions that have been assigned, as it only adds more permissions each time it is run.

The delegation of the Create, Delete, and Manage user accounts, and Reset user passwords and force password change at the next logon will assign the following permissions, permissions have been assigned to the 'Perms' users.

User's image

As these permissions will give you full permissions to the user objects, you don't technically need to delegate additional rights to unlock the accounts.

When you fix the problem, are you removing the users from the groups or just removing the permissions and reapplying them? When you do this, does the user need to restart ADUC to enable the grey options?

If you want to check that the permissions are still being applied to the user you can either the check the value of the sDRightsEffective attribute and confirm that it's 15 or use https://nettools.net/effective-permissions/ to look at the effective permissions.

Gary.

Share via

Delegated Permissions no longer applied after sometime, please help?

1 answer

Your answer