Tech Line

Permissions Panic - Delegation of Control

The Effective Permissions tab can sometimes yield misleading results.

Chris: I have a small problem letting our secretary edit contact information for our users, and I was hoping you can help me on this. I took the following steps:

1. Created the group “_hr.”
2. Assigned users to that group.
3. Created an OU called “active users.”
4. Went through the delegation wizard on the “active users” OU and gave that group read/write for the general/personal/phone/web/public.
5. Opened the advanced security of the active users OU and went to the “Effective Permissions” tab.

In the “Effective permissions” tab, all of the write attributes are gone (see Fig. 1), though I can see the attribute set to read/write on the “Permissions” tab (see Fig. 2).

Active Users OU permissions
Figure 1. Active Users OU permissions.
Active Users OU Effective Permissions
Figure 2. Active Users OU Effective Permissions.

Needless to say, our secretary can’t type in the user’s property pages. What did I miss?
— Yossi

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Yossi, one answer to your question is simple – just add the _hr group to the Domain Admins group. This will solve all of your problems and create countless more in the process! Since hopefully no administrator today is still practicing the troubleshooting approach of making everyone on the network a Domain Admin, let’s look a little deeper into your problem.

The output that you were viewing was correct. Just to recap, to allow users of the HR group to have permissions to modify user object attributes such as address and telephone number (along with the requested attributes in Yossi’s original question), you would need to perform the following steps:

  1. In Active Directory Users and Computers, first select the View menu and then click Advanced Features (you’ll need this later).
  2. Then right-click on the HR OU and select Delegation of Control.
  3. When the Delegation of Control Wizard opens, click Next.
  4. Click the Add button to add the HR group.
  5. In the Select Users, Computers, or Groups dialog box, enter “_hr” and click OK.
  6. Now click Next.
  7. Click the “Create a Custom Task to Delegate” radio button and click Next.
  8. Click the “Only the Following Objects in this Folder” radio button, then scroll down and check the User Objects checkbox and click Next.
  9. Under the Permissions portion of the window, scroll down and check the following boxes:

    Read and Write General Information
    Read and Write Personal Information
    Read and Write Phone and Mail Options
    Read and Write Web Information
    Read and Write Public Information
  10. Click Finish to close the Delegation of Control Wizard.

After delegation is complete, Yossi then looked at the Permissions and Effective Permissions of his new OU. The reason as to why his new permissions did not show up under the Effective Permissions tab is because the permissions were only applied to user objects and not the entire OU. This was evidenced by the output displayed under the Permissions tab, which displayed “User Objects” under the Apply To field for each permission that was added by the Delegation of Control Wizard.

To see the result of the Effective Permissions for the _hr group for user objects contained in the OU, you need to access the properties of a user object contained within the OU. To do this, follow these steps:

  1. Open Active Directory Users and Computers.
  2. Navigate to a user object in the OU in which control was delegated to the _hr user group.
  3. Right-click on the user object and select Properties.
  4. From the User object’s Properties window, click the Security tab and then click the Advanced button.
  5. Now click on Effective Permissions.
  6. Click the Select button, enter _hr in the Object Name field, and click OK.

Note that both read and write permissions for attributes such as Home Address are now present (see Fig. 3).

User object Effective Permissions
Figure 3. User object Effective Permissions.

So the key to understanding Effective Permissions ultimately lies in understanding where to look for them. Also note that the OS includes a link under the Effective Permissions tab that provides a more detailed explanation of how Effective Permissions are determined.

Once the appropriate permissions are assigned, the secretary could then modify user attributes such as telephone number by accessing the Address Book shortcut located in the Accessories folder, or by clicking on the Search Active Directory link listed under Network Tasks in My Network Places. With either of these methods, the secretary could search for a user and then read or change the necessary personal information. If problems still persist, I would then check to ensure that any of the typical permissions related problems aren’t present, such as:

  • The user account attempted to be modified is not located in the OU in which the secretary was delegated control.
  • The secretary belongs to another user group that has Deny permissions. In this case, querying effective permissions for the _hr group against a user object in the OU would not spot this. If the _hr group has the correct permissions (both read and write) and the secretary user object does not, querying the effective permissions of the secretary object would allow you to see this (the secretary user object does not have write permission while the _hr object does).
  • It’s also necessary to double-check to ensure that the secretary user object is a member of the _hr group. Many would probably perform this task first.
  • If the secretary was recently added to the _hr group, it’s also important to ensure that her access token is successfully re-created at logon. This is normally done with a simple logoff and logon to the domain. If her workstation is unable to contact a domain controller at logon, she could still log in with her cached credentials, but would not have an up-to-date access token. This problem could be verified by checking the System event log on her system and looking for critical events with Event ID 5719. This would indicate that a domain controller could not be contacted during the log-on process.

Effective Permissions can be a useful tool for troubleshooting permissions related problems. However, it’s important to remember that Effective Permissions is designed to present permissions related to the selected object itself and, thus, when OUs are involved, permissions delegated to child objects such as users in the OU will not be fully represented. When problems arise with access to a particular user object, it’s best to check the effective permissions of the user object itself rather than query its parent OU. Delegation at the OU can be verified by viewing the Permissions tab under the Advanced Security Settings for the OU.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular