Delegate remote access permission

Hi Jorge.

I tried setting true/false/not set for NPAllowDialin attribute via Adsiedit.
However this will not work because our helpdesk need to use mmc console to
remote manage AD users. Thanks anyway!

"Jorge de Almeida Pinto [MVP]" wrote:

> Try it yourself...
>
> Through ADSIEDIT I was able to set the attribute to true/false/not set
> which corresponds to Allow Dial-in/Deny Dial-in/Through Policies
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
> "Allan Tee" <AllanTee.DeleteThis@discussions.microsoft.com> wrote in message
> news:FDD090D8-0800-46DC-AD52-CA497CF882A8@microsoft.com...
> > Hi Jorge!
> >
> > That is the exact error message I get via ADUC "changes were not saved
> > because: Access is denied"
> >
> > did you mean i you set msNPAllowDialin attribute via adsiedit.msc and when
> > you used ADUC to grant/deny dialin access it workeD?
> >
> > Thanks for following up on this!
> >
> >
> >
> > "Jorge de Almeida Pinto [MVP]" wrote:
> >
> >> just tried it myself using aduc and it says:
> >> Dial-in profile changes were not saved because: Access is denied
> >>
> >> However, setting the attribute I mentioned through ADSIEDIT.MSC does work
> >>
> >> I used W2K3 SP1
> >>
> >> --
> >>
> >> Cheers,
> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >>
> >> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
> >>
> >> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> >> -----------------------------------------------------------------------------
> >> * This posting is provided "AS IS" with no warranties and confers no
> >> rights!
> >> * Always test before implementing!
> >> -----------------------------------------------------------------------------
> >>
> >>
> >> -----------------------------------------------------------------------------
> >> "Jorge de Almeida Pinto [MVP]"
> >> <SubstituteThisWithMyFullNameSeparatedByDots.DeleteThis@gmail.com> wrote in message
> >> news:%23JsYp4UNGHA.3832@tk2msftngp13.phx.gbl...
> >> >I understand "it" does not work for you...
> >> >
> >> > what do you mean with "setting msNPAllowDialin still didnt grant our
> >> > helpdesk right to
> >> >> grant/deny dialin access via ADUC"
> >> >
> >> > explain what you have done
> >> >
> >> > --
> >> >
> >> > Cheers,
> >> > (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >> >
> >> > # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
> >> >
> >> > BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> >> > -----------------------------------------------------------------------------
> >> > * This posting is provided "AS IS" with no warranties and confers no
> >> > rights!
> >> > * Always test before implementing!
> >> > -----------------------------------------------------------------------------
> >> >
> >> >
> >> > -----------------------------------------------------------------------------
> >> > "Allan Tee" <AllanTee.DeleteThis@discussions.microsoft.com> wrote in message
> >> > news:4A015877-4F99-4175-8233-E4FCC2D43568@microsoft.com...
> >> >> hi jorge, setting msNPAllowDialin still didnt grant our helpdesk right
> >> >> to
> >> >> grant/deny dialin access via ADUC. just to let you and others know.
> >> >> thanks!
> >> >>
> >> >> "Allan Tee" wrote:
> >> >>
> >> >>> hi jorge,
> >> >>>
> >> >>> you are right i changed the msNPAllowDialin option under [computer]
> >> >>> instead
> >> >>> of the [user] section. i was able to delegate Read/Write
> >> >>> msNPAllowDialin
> >> >>> to
> >> >>> my helpdesk for a particular OU. will have them test it out and reply
> >> >>> here
> >> >>> about the result. hope it works! thanks very much!
> >> >>>
> >> >>> "Jorge de Almeida Pinto" wrote:
> >> >>>
> >> >>> > Yes there is...
> >> >>> > I guess you changed the msNPAllowDialin option under [computer].
> >> >>> > You
> >> >>> > should
> >> >>> > change it under [user]
> >> >>> >
> >> >>> > open up %windir%\system32\dssec.dat again... search for it change
> >> >>> > the
> >> >>> > computer option back to its original value and the user option this
> >> >>> > time
> >> >>> > and try again.
> >> >>> >
> >> >>> > create a custom tasks for USER specific objects
> >> >>> >
> >> >>> > --
> >> >>> >
> >> >>> > Cheers,
> >> >>> > (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >> >>> > # Jorge de Almeida Pinto #
> >> >>> > BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> >> >>> > -----------------------------------------------------------------------------
> >> >>> > * This posting is provided "AS IS" with no warranties and confers
> >> >>> > no
> >> >>> > rights!
> >> >>> > * Always test before implementing!
> >> >>> > -----------------------------------------------------------------------------
> >> >>>
> >> >
> >> >
> >>
> >>
> >>
>
>
>

here are the steps I completed to do this. And yes it works through
ADUC. The main thing I see missing from above is granting the
read/srite userParameters right.

ManageDialin
Note: this model requires editing the C:\windows\system32\DSSEC.DAT
file on the DC that you are running ADUC on. See
http://support.microsoft.com/?id=296490 for more details. In short,
some of the rights that need to be delegated are filtered out from the
list by default. Edit the file so that these permissions are no longer
filtered (set them from 7 to a 0):
1. Set the following values to 0 under the [user] area in the file (not
under [computer]):
" msNPAllowDialin=0
msNPCallingStationID=0
msNPSavedCallingStationID=0
msRADIUSCallbackNumber=0
msRADIUSFramedIPAddress=0
msRADIUSFramedRoute=0
msRADIUSServiceType=0


msRASSavedCallbackNumber=0
msRASSavedFramedIPAddress=0
msRASSavedFramedRoute=0"
2. Save the file and then open ADUC / run delegation wizard etc as
outlined below.
3. Specify the group to delegate to (DELG Group)
4. Select Create a custom task to delegate and select Next
5. Select Only the following objects in the folder
a. User objects
6. Select Next
7. Select General and Property-specific under Show these permissions
8. Select "Read and Write Remote Access Information"
9. Select the Read and Write checkboxes for all of the following
attributes
" msNPAllowDialin
msNPCallingStationID
msNPSavedCallingStationID
msRADIUSCallbackNumber
msRADIUSFramedIPAddress
msRADIUSFramedRoute
msRADIUSServiceType
msRASSavedCallbackNumber
msRASSavedFramedIPAddress
msRASSavedFramedRoute
userParameters"
10. Select Next
11. Review Summary and Select Finish to complete


--
EricE
------------------------------------------------------------------------
EricE's Profile: http://forums.techarena.in/member.php?userid=26195
View this thread: http://forums.techarena.in/showthread.php?t=401641

http://forums.techarena.in

Sorry to bring back such an old post but I need to do the same thing for
mobile numbers and was wondering if this would work for Windows 2003?


--
danthony2
------------------------------------------------------------------------
danthony2's Profile: http://forums.techarena.in/members/116955.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/401641.htm

http://forums.techarena.in

Hello danthony2,

As you said this seems to be an old posting, because no surce problem is
to see. So please describe in detail what you are trying to achive. Is the
2003 server a domain controller, domain member or workgroup server? Is it
fully patched?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Sorry to bring back such an old post but I need to do the same thing
> for mobile numbers and was wondering if this would work for Windows
> 2003?
>
> http://forums.techarena.in
>

Hello Meinolf,

Thanks for the offer of help. I believe the 9 DCs are all running SP2.
Our goal is to only delegate 1 group (Helpdesk) to be able to read/write
the mobile number field in ADUC. I think the solution above will work
for this?

Thanks,
David


--
danthony2
------------------------------------------------------------------------
danthony2's Profile: http://forums.techarena.in/members/116955.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/401641.htm

http://forums.techarena.in

Hello danthony2,

Again i can not see any solution in your posting, that's the reason i asked
you to start a new thread with all information about.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Meinolf,
>
> Thanks for the offer of help. I believe the 9 DCs are all running SP2.
> Our goal is to only delegate 1 group (Helpdesk) to be able to
> read/write the mobile number field in ADUC. I think the solution above
> will work for this?
>
> Thanks,
> David
> http://forums.techarena.in
>