Re: Delegating jpegPhoto User Attribute

One thing that is confusing me is the use of jpegPhoto, as Hyena never accesses that attribute. Hyena stores the photo information into the 'thumbnailphoto' attribute. The other fields that you reference are the only fields modified when you click OK on the user properties dialog. There are others if you are adding new users, but I assume you are just modifying.

Re: Delegating jpegPhoto User Attribute

I also tried thumbnailPhoto with R/W as well as Photo, thumbnailLogo, etc. However, the staff member still gets the same error. Any thoughts?

Re: Delegating jpegPhoto User Attribute

I just now verified that if I access a user properties, click on the Personal tab, then specify a photo, and change nothing else, and click OK, only these attributes are updated in the directory

useraccountcontrol
pwdlastset
thumbnailphoto

Describe how you assigned these permissions to your restricted user account

Re: Delegating jpegPhoto User Attribute

Active Directory Users and Computers:

1. Right-click the appropriate OU

2. Select the Security tab

3. Click Advanced

4. Click Add

5. Select user then OK

6. Select Properties tab

7. Change Apply To to Descendant User Objects

8. Check both Read and Write for the following permissions:

thumbnailPhoto
userAccountControl
pwdLastSet


I've also tried this using the Delegation Wizard, but neither method works. We still get the same error message.

Re: Delegating jpegPhoto User Attribute

I tested this on an account with no rights, and could reproduce the problem. A search for 'pwdlastset' on MSDN hinted that Microsoft considers changing this attribute a password modification (its not), so I enabled the 'reset password' right for my test user and the permissions error went away. Possibly the 'change password' right will also work, but I don't know what the difference is between reset and change.

This isn't the behavior that I would expect because changing pwdlastset is used to check/uncheck the 'user must change password at next logon' setting and has nothing to do with changing the password.

In the current release version, Hyena always set the pwdlastset depending on the state of the 'user must change password at next logon' checkbox. This particular setting is a mess in Windows, but as a test, I changed the current logic to only set pwdlastset if the checkbox for 'user must change...' is actually changed (modified). This way, the pwdlastset attribute is never updated, the user does not need Reset Password rights, and there isn't any error.

So, you can either enable the Reset Password right and see if the error goes away, or if you want to use a beta version of v7.2 which contains this new logic, let me know. Due to the severity of these changes, I can't implement this into a release (v7.1) build without a beta test.

Re: Delegating jpegPhoto User Attribute

I would love to beta test this as granting Reset Password rights just isn't an option due to company and SOX policies. Where can I download it? Thanks.

Re: Delegating jpegPhoto User Attribute

You can download the beta here:
http://www.systemtools.com/download/hyena72.zip

This .zip file contains just a revised hyena.exe.

Re: Delegating jpegPhoto User Attribute

Thank you very much. I'll try it out today. Let you know how things go.