Discussion:
Delegate remote access permission
(too old to reply)
Allan Tee
2005-11-09 09:43:05 UTC
Permalink
I want to delegate granting/denying of dialin access to our helpdesk. I
enabled Read/Write Remote Access Information on the specific OU and made a
custom mmc and distributed to my helpdesk. The helpdesk can tick/untick grant
dialin access but when clicking Ok it says accesss is denied. What additional
right do I have to tick to make this work? Thanks!
Jorge_de_Almeida_Pinto
2005-12-30 22:35:41 UTC
Permalink
Post by Allan Tee
I want to delegate granting/denying of dialin access to our
helpdesk. I
enabled Read/Write Remote Access Information on the specific
OU and made a
custom mmc and distributed to my helpdesk. The helpdesk can
tick/untick grant
dialin access but when clicking Ok it says accesss is denied.
What additional
right do I have to tick to make this work? Thanks!
on one of the DCs open up the file DSSEC.DAT (located in
C:WINDOWSsystem32)

search for msNPAllowDialin=

change the 7 into a 0 (zero), save the file

re-open Active Directory Users and Computers on that same DC. Start
the delegation of control wizard

choose as the object type: user objects
for permissions select: general and property specific

select READ/WRITE msNPAllowDialin

Your done. The helpdesk people should now be able to change select
allow or deny or throught remote access policies DIALIN on the dialin
TAB

good luck
--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Delegate-remote-access-permission-ftopict442846.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1496826
Allan Tee
2006-01-04 00:19:02 UTC
Permalink
hi jorge thanks for the reply! however i wasnt able to locate the READ/WRITE
msNPAllowDialin you were referring to after editing
%windir%\system32\dssec.dat. i attach here the list to prove there is no
msNPAllowDialin ;)

Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Read All Properties
Write All Properties
Change Password
Reset Password
Read and write General Information
Read and write Account Restrictions
Read and write Logon Information
Read and write Group Membership
Read and write Personal Information
Read and write Phone and Mail Options
Read and write Web Information
Read and write Public Information
Read and write Remote Access Information
Allowed to Authenticate
Receive As
Send As
Read accountExpires
Write accountExpires
Read accountNameHistory
Write accountNameHistory
Read adminDescription
Write adminDescription
Read adminDisplayName
Write adminDisplayName
Read Alias
Write Alias
Read altRecipient
Write altRecipient
Read altRecipientBL
Write altRecipientBL
Read altSecurityIdentities
Write altSecurityIdentities
Read Assistant
Write Assistant
Read attributeCertificate
Write attributeCertificate
Read attributeCertificateAttribute
Write attributeCertificateAttribute
Read audio
Write audio
Read authOrig
Write authOrig
Read authOrigBL
Write authOrigBL
Read autoReply
Write autoReply
Read businessCategory
Write businessCategory
Read businessRoles
Write businessRoles
Read carLicense
Write carLicense
Read Comment
Write Comment
Read Company
Write Company
Read Custom Attribute 1
Write Custom Attribute 1
Read Custom Attribute 10
Write Custom Attribute 10
Read Custom Attribute 11
Write Custom Attribute 11
Read Custom Attribute 12
Write Custom Attribute 12
Read Custom Attribute 13
Write Custom Attribute 13
Read Custom Attribute 14
Write Custom Attribute 14
Read Custom Attribute 15
Write Custom Attribute 15
Read Custom Attribute 2
Write Custom Attribute 2
Read Custom Attribute 3
Write Custom Attribute 3
Read Custom Attribute 4
Write Custom Attribute 4
Read Custom Attribute 5
Write Custom Attribute 5
Read Custom Attribute 6
Write Custom Attribute 6
Read Custom Attribute 7
Write Custom Attribute 7
Read Custom Attribute 8
Write Custom Attribute 8
Read Custom Attribute 9
Write Custom Attribute 9
Read deletedItemFlags
Write deletedItemFlags
Read delivContLength
Write delivContLength
Read deliverAndRedirect
Write deliverAndRedirect
Read deliveryMechanism
Write deliveryMechanism
Read delivExtContTypes
Write delivExtContTypes
Read Department
Write Department
Read departmentNumber
Write departmentNumber
Read Description
Write Description
Read desktopProfile
Write desktopProfile
Read Direct Reports
Write Direct Reports
Read Display Name
Write Display Name
Read Division
Write Division
Read dLMemDefault
Write dLMemDefault
Read dLMemRejectPerms
Write dLMemRejectPerms
Read dLMemRejectPermsBL
Write dLMemRejectPermsBL
Read dLMemSubmitPerms
Write dLMemSubmitPerms
Read dLMemSubmitPermsBL
Write dLMemSubmitPermsBL
Read dnQualifier
Write dnQualifier
Read E-Mail Address (Others)
Write E-Mail Address (Others)
Read Employee ID
Write Employee ID
Read employeeNumber
Write employeeNumber
Read employeeType
Write employeeType
Read enabledProtocols
Write enabledProtocols
Read Exchange Home Server
Write Exchange Home Server
Read Exchange Mailbox Store
Write Exchange Mailbox Store
Read expirationTime
Write expirationTime
Read extensionData
Write extensionData
Read Fax Number
Write Fax Number
Read Fax Number (Others)
Write Fax Number (Others)
Read First Name
Write First Name
Read formData
Write formData
Read forwardingAddress
Write forwardingAddress
Read groupMembershipSAM
Write groupMembershipSAM
Read heuristics
Write heuristics
Read Home Address
Write Home Address
Read Home Drive
Write Home Drive
Read Home Folder
Write Home Folder
Read Home Phone
Write Home Phone
Read Home Phone Number (Others)
Write Home Phone Number (Others)
Read homeMTA
Write homeMTA
Read houseIdentifier
Write houseIdentifier
Read ILS Settings
Write ILS Settings
Read importedFrom
Write importedFrom
Read Initials
Write Initials
Read Instant Messaging Address
Write Instant Messaging Address
Read Instant Messaging Home Server URL
Write Instant Messaging Home Server URL
Read Instant Messaging URL
Write Instant Messaging URL
Read International ISDN Number (Others)
Write International ISDN Number (Others)
Read internetEncoding
Write internetEncoding
Read IP Phone Number
Write IP Phone Number
Read IP Phone Number (Others)
Write IP Phone Number (Others)
Read Job Title
Write Job Title
Read jpegPhoto
Write jpegPhoto
Read kMServer
Write kMServer
Read labeledURI
Write labeledURI
Read language
Write language
Read languageCode
Write languageCode
Read lastLogonTimestamp
Write lastLogonTimestamp
Read lockoutTime
Write lockoutTime
Read Logon Name
Write Logon Name
Read Logon Name (pre-Windows 2000)
Write Logon Name (pre-Windows 2000)
Read Logon Workstations
Write Logon Workstations
Read logonHours
Write logonHours
Read logonWorkstation
Write logonWorkstation
Read Manager
Write Manager
Read mAPIRecipient
Write mAPIRecipient
Read mDBOverHardQuotaLimit
Write mDBOverHardQuotaLimit
Read mDBOverQuotaLimit
Write mDBOverQuotaLimit
Read mDBStorageQuota
Write mDBStorageQuota
Read mDBUseDefaults
Write mDBUseDefaults
Read Member Of
Write Member Of
Read Middle Name
Write Middle Name
Read Mobile Number
Write Mobile Number
Read Mobile Number (Others)
Write Mobile Number (Others)
Read mS-DS-CreatorSID
Write mS-DS-CreatorSID
Read msCOM-PartitionSetLink
Write msCOM-PartitionSetLink
Read msCOM-UserLink
Write msCOM-UserLink
Read msCOM-UserPartitionSetLink
Write msCOM-UserPartitionSetLink
Read msDRM-IdentityCertificate
Write msDRM-IdentityCertificate
Read msDS-AllowedToDelegateTo
Write msDS-AllowedToDelegateTo
Read msDS-Approx-Immed-Subordinates
Write msDS-Approx-Immed-Subordinates
Read msDS-Cached-Membership
Write msDS-Cached-Membership
Read msDS-Cached-Membership-Time-Stamp
Write msDS-Cached-Membership-Time-Stamp
Read msDS-KeyVersionNumber
Write msDS-KeyVersionNumber
Read msDs-masteredBy
Write msDs-masteredBy
Read msDS-MembersForAzRoleBL
Write msDS-MembersForAzRoleBL
Read msDS-NCReplCursors
Write msDS-NCReplCursors
Read msDS-NCReplInboundNeighbors
Write msDS-NCReplInboundNeighbors
Read msDS-NCReplOutboundNeighbors
Write msDS-NCReplOutboundNeighbors
Read msDS-NonMembersBL
Write msDS-NonMembersBL
Read msDS-ObjectReferenceBL
Write msDS-ObjectReferenceBL
Read msDS-OperationsForAzRoleBL
Write msDS-OperationsForAzRoleBL
Read msDS-OperationsForAzTaskBL
Write msDS-OperationsForAzTaskBL
Read msDS-ReplAttributeMetaData
Write msDS-ReplAttributeMetaData
Read msDS-ReplValueMetaData
Write msDS-ReplValueMetaData
Read msDS-Site-Affinity
Write msDS-Site-Affinity
Read msDS-TasksForAzRoleBL
Write msDS-TasksForAzRoleBL
Read msDS-TasksForAzTaskBL
Write msDS-TasksForAzTaskBL
Read msDS-User-Account-Control-Computed
Write msDS-User-Account-Control-Computed
Read name
Write name
Read Name
Write Name
Read Notes
Write Notes
Read objectSid
Write objectSid
Read otherLoginWorkstations
Write otherLoginWorkstations
Read Outlook Web Access Server
Write Outlook Web Access Server
Read ownerBL
Write ownerBL
Read Pager Number
Write Pager Number
Read Pager Number (Others)
Write Pager Number (Others)
Read personalPager
Write personalPager
Read Phone Number (Others)
Write Phone Number (Others)
Read photo
Write photo
Read pOPCharacterSet
Write pOPCharacterSet
Read pOPContentFormat
Write pOPContentFormat
Read Post Office Box
Write Post Office Box
Read postalAddress
Write postalAddress
Read preferredLanguage
Write preferredLanguage
Read profilePath
Write profilePath
Read protocolSettings
Write protocolSettings
Read publicDelegates
Write publicDelegates
Read publicDelegatesBL
Write publicDelegatesBL
Read pwdLastSet
Write pwdLastSet
Read replicatedObjectVersion
Write replicatedObjectVersion
Read replicationSensitivity
Write replicationSensitivity
Read replicationSignature
Write replicationSignature
Read roomNumber
Write roomNumber
Read scriptPath
Write scriptPath
Read secretary
Write secretary
Read securityProtocol
Write securityProtocol
Read serialNumber
Write serialNumber
Read street
Write street
Read Street Address
Write Street Address
Read structuralObjectClass
Write structuralObjectClass
Read submissionContLength
Write submissionContLength
Read supportedAlgorithms
Write supportedAlgorithms
Read targetAddress
Write targetAddress
Read Telephone Number
Write Telephone Number
Read telephoneAssistant
Write telephoneAssistant
Read thumbnailLogo
Write thumbnailLogo
Read thumbnailPhoto
Write thumbnailPhoto
Read Title
Write Title
Read tokenGroupsGlobalAndUniversal
Write tokenGroupsGlobalAndUniversal
Read uid
Write uid
Read unauthOrig
Write unauthOrig
Read unauthOrigBL
Write unauthOrigBL
Read unmergedAtts
Write unmergedAtts
Read userAccountControl
Write userAccountControl
Read userCert
Write userCert
Read userCertificate
Write userCertificate
Read userParameters
Write userParameters
Read userPKCS12
Write userPKCS12
Read userSharedFolder
Write userSharedFolder
Read userSharedFolderOther
Write userSharedFolderOther
Read versionNumber
Write versionNumber
Read Web Page Address
Write Web Page Address
Read x500uniqueIdentifier
Write x500uniqueIdentifier
Read ZIP/Postal Code
Write ZIP/Postal Code
Jorge de Almeida Pinto
2006-01-04 07:55:20 UTC
Permalink
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]

open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this time
and try again.

create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Post by Allan Tee
hi jorge thanks for the reply! however i wasnt able to locate the READ/WRITE
msNPAllowDialin you were referring to after editing
%windir%\system32\dssec.dat. i attach here the list to prove there is no
msNPAllowDialin ;)
Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Read All Properties
Write All Properties
Change Password
Reset Password
Read and write General Information
Read and write Account Restrictions
Read and write Logon Information
Read and write Group Membership
Read and write Personal Information
Read and write Phone and Mail Options
Read and write Web Information
Read and write Public Information
Read and write Remote Access Information
Allowed to Authenticate
Receive As
Send As
Read accountExpires
Write accountExpires
Read accountNameHistory
Write accountNameHistory
Read adminDescription
Write adminDescription
Read adminDisplayName
Write adminDisplayName
Read Alias
Write Alias
Read altRecipient
Write altRecipient
Read altRecipientBL
Write altRecipientBL
Read altSecurityIdentities
Write altSecurityIdentities
Read Assistant
Write Assistant
Read attributeCertificate
Write attributeCertificate
Read attributeCertificateAttribute
Write attributeCertificateAttribute
Read audio
Write audio
Read authOrig
Write authOrig
Read authOrigBL
Write authOrigBL
Read autoReply
Write autoReply
Read businessCategory
Write businessCategory
Read businessRoles
Write businessRoles
Read carLicense
Write carLicense
Read Comment
Write Comment
Read Company
Write Company
Read Custom Attribute 1
Write Custom Attribute 1
Read Custom Attribute 10
Write Custom Attribute 10
Read Custom Attribute 11
Write Custom Attribute 11
Read Custom Attribute 12
Write Custom Attribute 12
Read Custom Attribute 13
Write Custom Attribute 13
Read Custom Attribute 14
Write Custom Attribute 14
Read Custom Attribute 15
Write Custom Attribute 15
Read Custom Attribute 2
Write Custom Attribute 2
Read Custom Attribute 3
Write Custom Attribute 3
Read Custom Attribute 4
Write Custom Attribute 4
Read Custom Attribute 5
Write Custom Attribute 5
Read Custom Attribute 6
Write Custom Attribute 6
Read Custom Attribute 7
Write Custom Attribute 7
Read Custom Attribute 8
Write Custom Attribute 8
Read Custom Attribute 9
Write Custom Attribute 9
Read deletedItemFlags
Write deletedItemFlags
Read delivContLength
Write delivContLength
Read deliverAndRedirect
Write deliverAndRedirect
Read deliveryMechanism
Write deliveryMechanism
Read delivExtContTypes
Write delivExtContTypes
Read Department
Write Department
Read departmentNumber
Write departmentNumber
Read Description
Write Description
Read desktopProfile
Write desktopProfile
Read Direct Reports
Write Direct Reports
Read Display Name
Write Display Name
Read Division
Write Division
Read dLMemDefault
Write dLMemDefault
Read dLMemRejectPerms
Write dLMemRejectPerms
Read dLMemRejectPermsBL
Write dLMemRejectPermsBL
Read dLMemSubmitPerms
Write dLMemSubmitPerms
Read dLMemSubmitPermsBL
Write dLMemSubmitPermsBL
Read dnQualifier
Write dnQualifier
Read E-Mail Address (Others)
Write E-Mail Address (Others)
Read Employee ID
Write Employee ID
Read employeeNumber
Write employeeNumber
Read employeeType
Write employeeType
Read enabledProtocols
Write enabledProtocols
Read Exchange Home Server
Write Exchange Home Server
Read Exchange Mailbox Store
Write Exchange Mailbox Store
Read expirationTime
Write expirationTime
Read extensionData
Write extensionData
Read Fax Number
Write Fax Number
Read Fax Number (Others)
Write Fax Number (Others)
Read First Name
Write First Name
Read formData
Write formData
Read forwardingAddress
Write forwardingAddress
Read groupMembershipSAM
Write groupMembershipSAM
Read heuristics
Write heuristics
Read Home Address
Write Home Address
Read Home Drive
Write Home Drive
Read Home Folder
Write Home Folder
Read Home Phone
Write Home Phone
Read Home Phone Number (Others)
Write Home Phone Number (Others)
Read homeMTA
Write homeMTA
Read houseIdentifier
Write houseIdentifier
Read ILS Settings
Write ILS Settings
Read importedFrom
Write importedFrom
Read Initials
Write Initials
Read Instant Messaging Address
Write Instant Messaging Address
Read Instant Messaging Home Server URL
Write Instant Messaging Home Server URL
Read Instant Messaging URL
Write Instant Messaging URL
Read International ISDN Number (Others)
Write International ISDN Number (Others)
Read internetEncoding
Write internetEncoding
Read IP Phone Number
Write IP Phone Number
Read IP Phone Number (Others)
Write IP Phone Number (Others)
Read Job Title
Write Job Title
Read jpegPhoto
Write jpegPhoto
Read kMServer
Write kMServer
Read labeledURI
Write labeledURI
Read language
Write language
Read languageCode
Write languageCode
Read lastLogonTimestamp
Write lastLogonTimestamp
Read lockoutTime
Write lockoutTime
Read Logon Name
Write Logon Name
Read Logon Name (pre-Windows 2000)
Write Logon Name (pre-Windows 2000)
Read Logon Workstations
Write Logon Workstations
Read logonHours
Write logonHours
Read logonWorkstation
Write logonWorkstation
Read Manager
Write Manager
Read mAPIRecipient
Write mAPIRecipient
Read mDBOverHardQuotaLimit
Write mDBOverHardQuotaLimit
Read mDBOverQuotaLimit
Write mDBOverQuotaLimit
Read mDBStorageQuota
Write mDBStorageQuota
Read mDBUseDefaults
Write mDBUseDefaults
Read Member Of
Write Member Of
Read Middle Name
Write Middle Name
Read Mobile Number
Write Mobile Number
Read Mobile Number (Others)
Write Mobile Number (Others)
Read mS-DS-CreatorSID
Write mS-DS-CreatorSID
Read msCOM-PartitionSetLink
Write msCOM-PartitionSetLink
Read msCOM-UserLink
Write msCOM-UserLink
Read msCOM-UserPartitionSetLink
Write msCOM-UserPartitionSetLink
Read msDRM-IdentityCertificate
Write msDRM-IdentityCertificate
Read msDS-AllowedToDelegateTo
Write msDS-AllowedToDelegateTo
Read msDS-Approx-Immed-Subordinates
Write msDS-Approx-Immed-Subordinates
Read msDS-Cached-Membership
Write msDS-Cached-Membership
Read msDS-Cached-Membership-Time-Stamp
Write msDS-Cached-Membership-Time-Stamp
Read msDS-KeyVersionNumber
Write msDS-KeyVersionNumber
Read msDs-masteredBy
Write msDs-masteredBy
Read msDS-MembersForAzRoleBL
Write msDS-MembersForAzRoleBL
Read msDS-NCReplCursors
Write msDS-NCReplCursors
Read msDS-NCReplInboundNeighbors
Write msDS-NCReplInboundNeighbors
Read msDS-NCReplOutboundNeighbors
Write msDS-NCReplOutboundNeighbors
Read msDS-NonMembersBL
Write msDS-NonMembersBL
Read msDS-ObjectReferenceBL
Write msDS-ObjectReferenceBL
Read msDS-OperationsForAzRoleBL
Write msDS-OperationsForAzRoleBL
Read msDS-OperationsForAzTaskBL
Write msDS-OperationsForAzTaskBL
Read msDS-ReplAttributeMetaData
Write msDS-ReplAttributeMetaData
Read msDS-ReplValueMetaData
Write msDS-ReplValueMetaData
Read msDS-Site-Affinity
Write msDS-Site-Affinity
Read msDS-TasksForAzRoleBL
Write msDS-TasksForAzRoleBL
Read msDS-TasksForAzTaskBL
Write msDS-TasksForAzTaskBL
Read msDS-User-Account-Control-Computed
Write msDS-User-Account-Control-Computed
Read name
Write name
Read Name
Write Name
Read Notes
Write Notes
Read objectSid
Write objectSid
Read otherLoginWorkstations
Write otherLoginWorkstations
Read Outlook Web Access Server
Write Outlook Web Access Server
Read ownerBL
Write ownerBL
Read Pager Number
Write Pager Number
Read Pager Number (Others)
Write Pager Number (Others)
Read personalPager
Write personalPager
Read Phone Number (Others)
Write Phone Number (Others)
Read photo
Write photo
Read pOPCharacterSet
Write pOPCharacterSet
Read pOPContentFormat
Write pOPContentFormat
Read Post Office Box
Write Post Office Box
Read postalAddress
Write postalAddress
Read preferredLanguage
Write preferredLanguage
Read profilePath
Write profilePath
Read protocolSettings
Write protocolSettings
Read publicDelegates
Write publicDelegates
Read publicDelegatesBL
Write publicDelegatesBL
Read pwdLastSet
Write pwdLastSet
Read replicatedObjectVersion
Write replicatedObjectVersion
Read replicationSensitivity
Write replicationSensitivity
Read replicationSignature
Write replicationSignature
Read roomNumber
Write roomNumber
Read scriptPath
Write scriptPath
Read secretary
Write secretary
Read securityProtocol
Write securityProtocol
Read serialNumber
Write serialNumber
Read street
Write street
Read Street Address
Write Street Address
Read structuralObjectClass
Write structuralObjectClass
Read submissionContLength
Write submissionContLength
Read supportedAlgorithms
Write supportedAlgorithms
Read targetAddress
Write targetAddress
Read Telephone Number
Write Telephone Number
Read telephoneAssistant
Write telephoneAssistant
Read thumbnailLogo
Write thumbnailLogo
Read thumbnailPhoto
Write thumbnailPhoto
Read Title
Write Title
Read tokenGroupsGlobalAndUniversal
Write tokenGroupsGlobalAndUniversal
Read uid
Write uid
Read unauthOrig
Write unauthOrig
Read unauthOrigBL
Write unauthOrigBL
Read unmergedAtts
Write unmergedAtts
Read userAccountControl
Write userAccountControl
Read userCert
Write userCert
Read userCertificate
Write userCertificate
Read userParameters
Write userParameters
Read userPKCS12
Write userPKCS12
Read userSharedFolder
Write userSharedFolder
Read userSharedFolderOther
Write userSharedFolderOther
Read versionNumber
Write versionNumber
Read Web Page Address
Write Web Page Address
Read x500uniqueIdentifier
Write x500uniqueIdentifier
Read ZIP/Postal Code
Write ZIP/Postal Code
Allan Tee
2006-01-04 08:46:03 UTC
Permalink
hi jorge,

you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Allan Tee
2006-02-07 01:06:28 UTC
Permalink
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Jorge de Almeida Pinto [MVP]
2006-02-19 12:15:21 UTC
Permalink
I understand "it" does not work for you...

what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"
explain what you have done
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Jorge de Almeida Pinto [MVP]
2006-02-19 15:00:25 UTC
Permalink
just tried it myself using aduc and it says:
Dial-in profile changes were not saved because: Access is denied

However, setting the attribute I mentioned through ADSIEDIT.MSC does work

I used W2K3 SP1
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
Post by Jorge de Almeida Pinto [MVP]
I understand "it" does not work for you...
what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"
explain what you have done
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Allan Tee
2006-02-20 00:02:06 UTC
Permalink
Hi Jorge!

That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"

did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?

Thanks for following up on this!
Post by Jorge de Almeida Pinto [MVP]
Dial-in profile changes were not saved because: Access is denied
However, setting the attribute I mentioned through ADSIEDIT.MSC does work
I used W2K3 SP1
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
Post by Jorge de Almeida Pinto [MVP]
I understand "it" does not work for you...
what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"
explain what you have done
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write msNPAllowDialin to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer]. You should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Jorge de Almeida Pinto [MVP]
2006-02-20 07:36:18 UTC
Permalink
Try it yourself...

Through ADSIEDIT I was able to set the attribute to true/false/not set
which corresponds to Allow Dial-in/Deny Dial-in/Through Policies
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Post by Allan Tee
Hi Jorge!
That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"
did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?
Thanks for following up on this!
Post by Jorge de Almeida Pinto [MVP]
Dial-in profile changes were not saved because: Access is denied
However, setting the attribute I mentioned through ADSIEDIT.MSC does work
I used W2K3 SP1
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
Post by Jorge de Almeida Pinto [MVP]
I understand "it" does not work for you...
what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"
explain what you have done
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write
msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer].
You
should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
Allan Tee
2006-02-20 07:58:28 UTC
Permalink
Hi Jorge.

I tried setting true/false/not set for NPAllowDialin attribute via Adsiedit.
However this will not work because our helpdesk need to use mmc console to
remote manage AD users. Thanks anyway!
Post by Jorge de Almeida Pinto [MVP]
Try it yourself...
Through ADSIEDIT I was able to set the attribute to true/false/not set
which corresponds to Allow Dial-in/Deny Dial-in/Through Policies
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Post by Allan Tee
Hi Jorge!
That is the exact error message I get via ADUC "changes were not saved
because: Access is denied"
did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
you used ADUC to grant/deny dialin access it workeD?
Thanks for following up on this!
Post by Jorge de Almeida Pinto [MVP]
Dial-in profile changes were not saved because: Access is denied
However, setting the attribute I mentioned through ADSIEDIT.MSC does work
I used W2K3 SP1
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
Post by Jorge de Almeida Pinto [MVP]
I understand "it" does not work for you...
what do you mean with "setting msNPAllowDialin still didnt grant our
helpdesk right to
grant/deny dialin access via ADUC"
explain what you have done
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right to
grant/deny dialin access via ADUC. just to let you and others know. thanks!
Post by Allan Tee
hi jorge,
you are right i changed the msNPAllowDialin option under [computer] instead
of the [user] section. i was able to delegate Read/Write
msNPAllowDialin
to
my helpdesk for a particular OU. will have them test it out and reply here
about the result. hope it works! thanks very much!
Post by Jorge de Almeida Pinto
Yes there is...;-)
I guess you changed the msNPAllowDialin option under [computer].
You
should
change it under [user]
open up %windir%\system32\dssec.dat again... search for it change the
computer option back to its original value and the user option this
time
and try again.
create a custom tasks for USER specific objects
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------
EricE
2007-05-30 20:52:21 UTC
Permalink
here are the steps I completed to do this. And yes it works through
ADUC. The main thing I see missing from above is granting the
read/srite userParameters right.

ManageDialin
Note: this model requires editing the C:\windows\system32\DSSEC.DAT
file on the DC that you are running ADUC on. See
http://support.microsoft.com/?id=296490 for more details. In short,
some of the rights that need to be delegated are filtered out from the
list by default. Edit the file so that these permissions are no longer
filtered (set them from 7 to a 0):
1. Set the following values to 0 under the [user] area in the file (not
under [computer]):
" msNPAllowDialin=0
msNPCallingStationID=0
msNPSavedCallingStationID=0
msRADIUSCallbackNumber=0
msRADIUSFramedIPAddress=0
msRADIUSFramedRoute=0
msRADIUSServiceType=0


msRASSavedCallbackNumber=0
msRASSavedFramedIPAddress=0
msRASSavedFramedRoute=0"
2. Save the file and then open ADUC / run delegation wizard etc as
outlined below.
3. Specify the group to delegate to (DELG Group)
4. Select Create a custom task to delegate and select Next
5. Select Only the following objects in the folder
a. User objects
6. Select Next
7. Select General and Property-specific under Show these permissions
8. Select "Read and Write Remote Access Information"
9. Select the Read and Write checkboxes for all of the following
attributes
" msNPAllowDialin
msNPCallingStationID
msNPSavedCallingStationID
msRADIUSCallbackNumber
msRADIUSFramedIPAddress
msRADIUSFramedRoute
msRADIUSServiceType
msRASSavedCallbackNumber
msRASSavedFramedIPAddress
msRASSavedFramedRoute
userParameters"
10. Select Next
11. Review Summary and Select Finish to complete
--
EricE
------------------------------------------------------------------------
EricE's Profile: http://forums.techarena.in/member.php?userid=26195
View this thread: http://forums.techarena.in/showthread.php?t=401641

http://forums.techarena.in
danthony2
2009-07-21 18:13:56 UTC
Permalink
Sorry to bring back such an old post but I need to do the same thing for
mobile numbers and was wondering if this would work for Windows 2003?
--
danthony2
------------------------------------------------------------------------
danthony2's Profile: http://forums.techarena.in/members/116955.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/401641.htm

http://forums.techarena.in
Meinolf Weber [MVP-DS]
2009-07-21 22:44:43 UTC
Permalink
Hello danthony2,

As you said this seems to be an old posting, because no surce problem is
to see. So please describe in detail what you are trying to achive. Is the
2003 server a domain controller, domain member or workgroup server? Is it
fully patched?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by danthony2
Sorry to bring back such an old post but I need to do the same thing
for mobile numbers and was wondering if this would work for Windows
2003?
http://forums.techarena.in
danthony2
2009-07-22 00:12:20 UTC
Permalink
Hello Meinolf,

Thanks for the offer of help. I believe the 9 DCs are all running SP2
Our goal is to only delegate 1 group (Helpdesk) to be able to read/writ
the mobile number field in ADUC. I think the solution above will wor
for this?

Thanks,
Davi

--
danthony
-----------------------------------------------------------------------
danthony2's Profile: http://forums.techarena.in/members/116955.ht
View this thread: http://forums.techarena.in/windows-2000-active-directory/401641.ht

http://forums.techarena.i
Meinolf Weber [MVP-DS]
2009-07-22 00:42:58 UTC
Permalink
Hello danthony2,

Again i can not see any solution in your posting, that's the reason i asked
you to start a new thread with all information about.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by danthony2
Hello Meinolf,
Thanks for the offer of help. I believe the 9 DCs are all running SP2.
Our goal is to only delegate 1 group (Helpdesk) to be able to
read/write the mobile number field in ADUC. I think the solution above
will work for this?
Thanks,
David
http://forums.techarena.in
Continue reading on narkive:
Loading...