Re: Having troubles

What actions are they doing to get the errors ? ie, managing users, groups, etc.

RAS problems are another story. Microsoft did not do a very good job in putting and documenting RAS information into Active Directory. Newer versions of Hyena use the MprAdminUserSetInfo API call to save RAS information. But Microsoft does not have any documentation on the rights required to save this information. Before we try to work around this, do you need/use RAS anyway ? If not, you can just turn it off under Tools->Settings->User, restart Hyena and then Hyena won't bother reading or saving the information (the Dialin user properties tab/dialog will be gone).

Re: Having troubles

They were trying to manage a single user account in their OU.

Re: Having troubles

Have one of the delegated users view the Properties dialog for a user, and without making any changes, just click OK.

If you get an error (access is denied), then is probably due to one or two attributes that Hyena always modifies on all user changes. Those attributes are pwdlastset and useraccountcontrol. You might want to check if your users have full control to modify those attributes.

If they do not get an error, then start modifying attributes on blocks of 4-5 at a time until you get the error. I suspect, however, that its due to to pwdlastset or useraccountcontrol.

Re: Having troubles

Yes, they get the error without changing anything and just clicking OK. Sorry for being clueless, but how do I grant them permission to these attributes?

Re: Having troubles

Did you delegate through the Delegation Wizard ?

In the latest issue of Windows 2000 Magazine, there is a technical article on delegation that covers granting access to these two fields. Even though I can still dig the issue out of the trash, I don't think I can easily describe what has to be done.

If you don't have the last issue, go to http://www.winnetmag.com, and search for "pwdlastset", and logon as a quest to view the article.

Let me know if this does not lead to a happy resolution.

Thanks

Re: Having troubles

Yes I used the delegation wizard. It says I have to pay to get the article . Sorry to be such a pain!

Re: Having troubles

Can't you logon as a guest ? I saw a guest button...do guests have to pay ?

Re: Having troubles

Yes. When you click the guest button it asks which subscription you want to sign up for.

Re: Having troubles

Man, that is no good.

Lucky for you I got my trash out too late this morning for the trash man. Unluckly for me, I had to dig through a week's of trash (that sat out in 95+ degree Texas sun all day) to find the magazine. I knew that I should have hung onto the magazine.

Try this:

- If you are running MMC, exit the application.
- Find a file named dssec.dat in your system's system32 directory, and edit it with Notepad.
- Find the section labeled "[user]"
- Find the "pwdlastset" attribute, and set it to:

pwdlastset=0

Anything marked with a =7 is hidden. You might want to change the value to a '0' for the lockoutTime attribute as well, as this lets users unlock accounts.

- Save the file, and then run MMC ADU&C.
- Make sure that you have check the View->Advanced Features in MMC.
- Right click on one of the OUs that you have delegated out, click Properties, and click on the Security tab.
- Click the Advanced button
- Select one of the groups that you have assigned rights to and make sure its the one that applies to "User Objects"
- Click on View/Edit, then the Properties tab.
- Scroll down and make sure that UserAccountControl and pwdlastset are enabled for writing.

This should not be this complicated. We hope to provide better interfaces in Hyena to some of these security/delegated rights as it is a big mess right now.

Let me know if you still have troubles, as I want this to work.

Re: Having troubles

I did all this, and pwdlastset was already enabled for him (wouldn't giving him full control have already granted him this?)

Re: Having troubles

Yes, you are right. I realized this as I was going through these steps, but wanted to make sure. These changes are mainly meant if you want to more fine-tune what rights are delegated.

Walk me through the steps / options that you did when you used the Delegation Wizard so that I can attempt to reproduce this problem. And, are your delegated users creating or modifying users (do you get the error either way ?)

Thanks for all of your help.

Re: Having troubles

It happens when they modify users only. They haven't tried creating a user, as we are migrating users from NT4 for them using ADMT while we're in the migration phase.

I right clicked on the OU, clicked delegate control, selected the user, and checked all the boxes under "Delegate the following common tasks". I then made sure advanced options was selected in ADUC and right clicked on the OU and selected the "Security Tab". I found the user I delegated control to, and selected "FULL CONTROL" which selected everything beneath it.

Re: Having troubles

Well, we created a user based on your instructions and have no problem modifying user properties with this account.

The only exception being when trying to modify an account in the Domain Admins group.

As a test, login as one of these accounts and open Hyena. Try right-clicking on another user account and selecting Account Function, then Reset Password. DO NOT check the checkbox that user must change password at next logon.

Do you get the error?

If not, try the same thing again but this time check that box and see if you get the error.

Also, take a screen shot of the permission settings for one of these accounts in ADU&C so I can make sure I've duplicated your settings to [email protected]