Windows 2003's Delegation control wizard and property sets
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Windows 2003's Delegation control wizard and property sets

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
neo [mvp outlook]
Guest
Posted: Mon Dec 20, 2004 12:14 am    Post subject: Windows 2003's Delegation control wizard and property sets Reply with quote
I've been reading through the Active Directory delegation whitepaper
published by Microsoft and one of the recommendations is try to stick to
right delegation based on property sets since activating individual
properties may not be desirable. Unfortunately the paper does not cover is
how to delegate Property Sets via the delegwiz.inf. The paper is very clear
that Property Sets are not Extended Rights. So what should them template
look like if I wanted to delegate the "Public Information" and or "Web
Information" property sets?

Thanks...
Back to top
Guido G
Guest
Posted: Tue Dec 21, 2004 4:14 am    Post subject: Re: Windows 2003's Delegation control wizard and property se Reply with quote
you should treat the property sets just like permissions for properties in
the delegwiz.inf file.
should work when you use the cn of the property, not the display name (e.g.
"Personal-Information" for the "Personal Information" propset).

Even though they're not treated as Extended Rights (ControlRights) in the
Delegation Wizard, they are defined as an Extended Right in the Config NC,
where you can also see the cn's of the property sets:
CN=Extended-Rights,CN=Configuration,DC=YourRoot

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:OQN%23Uaf5EHA.2664@TK2MSFTNGP10.phx.gbl...
Quote:
I've been reading through the Active Directory delegation whitepaper
published by Microsoft and one of the recommendations is try to stick to
right delegation based on property sets since activating individual
properties may not be desirable. Unfortunately the paper does not cover
is
how to delegate Property Sets via the delegwiz.inf. The paper is very
clear
that Property Sets are not Extended Rights. So what should them template
look like if I wanted to delegate the "Public Information" and or "Web
Information" property sets?

Thanks...

Back to top
neo [mvp outlook]
Guest
Posted: Tue Dec 21, 2004 5:04 am    Post subject: Re: Windows 2003's Delegation control wizard and property se Reply with quote
I tried the CN and I get a message back of "The templates could not be
applied. One or more the templates are not applicable. Click Back and
select different templates, and then try again." In case you need to know
the platform, I'm working with Windows 2003 (RTM)

Just to make sure I understand you right, here is the template.

[template161]
AppliesToClasses=domainDns,organizationalUnit,container
Description = "Personnel - User Management"
ObjectTypes = user

[template161.user]
Web-Information=WP
Public-Information=WP

"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:%23%23t5PFu5EHA.992@TK2MSFTNGP12.phx.gbl...
Quote:
you should treat the property sets just like permissions for properties in
the delegwiz.inf file.
should work when you use the cn of the property, not the display name
(e.g.
"Personal-Information" for the "Personal Information" propset).

Even though they're not treated as Extended Rights (ControlRights) in the
Delegation Wizard, they are defined as an Extended Right in the Config NC,
where you can also see the cn's of the property sets:
CN=Extended-Rights,CN=Configuration,DC=YourRoot

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:OQN%23Uaf5EHA.2664@TK2MSFTNGP10.phx.gbl...
I've been reading through the Active Directory delegation whitepaper
published by Microsoft and one of the recommendations is try to stick to
right delegation based on property sets since activating individual
properties may not be desirable. Unfortunately the paper does not cover
is
how to delegate Property Sets via the delegwiz.inf. The paper is very
clear
that Property Sets are not Extended Rights. So what should them template
look like if I wanted to delegate the "Public Information" and or "Web
Information" property sets?

Thanks...



Back to top
Guido G
Guest
Posted: Tue Dec 21, 2004 12:04 pm    Post subject: Re: Windows 2003's Delegation control wizard and property se Reply with quote
hmm - I'll check this out and give you feedback - likely after X-mas...

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:eiVO5gu5EHA.1188@tk2msftngp13.phx.gbl...
Quote:
I tried the CN and I get a message back of "The templates could not be
applied. One or more the templates are not applicable. Click Back and
select different templates, and then try again." In case you need to know
the platform, I'm working with Windows 2003 (RTM)

Just to make sure I understand you right, here is the template.

[template161]
AppliesToClasses=domainDns,organizationalUnit,container
Description = "Personnel - User Management"
ObjectTypes = user

[template161.user]
Web-Information=WP
Public-Information=WP

"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:%23%23t5PFu5EHA.992@TK2MSFTNGP12.phx.gbl...
you should treat the property sets just like permissions for properties
in
the delegwiz.inf file.
should work when you use the cn of the property, not the display name
(e.g.
"Personal-Information" for the "Personal Information" propset).

Even though they're not treated as Extended Rights (ControlRights) in
the
Delegation Wizard, they are defined as an Extended Right in the Config
NC,
where you can also see the cn's of the property sets:
CN=Extended-Rights,CN=Configuration,DC=YourRoot

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:OQN%23Uaf5EHA.2664@TK2MSFTNGP10.phx.gbl...
I've been reading through the Active Directory delegation whitepaper
published by Microsoft and one of the recommendations is try to stick
to
right delegation based on property sets since activating individual
properties may not be desirable. Unfortunately the paper does not
cover
is
how to delegate Property Sets via the delegwiz.inf. The paper is very
clear
that Property Sets are not Extended Rights. So what should them
template
look like if I wanted to delegate the "Public Information" and or "Web
Information" property sets?

Thanks...





Back to top
neo [mvp outlook]
Guest
Posted: Thu Dec 23, 2004 1:17 am    Post subject: Re: Windows 2003's Delegation control wizard and property se Reply with quote
Cool... since I'm duplicating the error in 2 different sites I'm curious to
see what u come up with because I am out of ideas.

"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:%23R%23WoLy5EHA.2180@TK2MSFTNGP12.phx.gbl...
Quote:
hmm - I'll check this out and give you feedback - likely after X-mas...

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:eiVO5gu5EHA.1188@tk2msftngp13.phx.gbl...
I tried the CN and I get a message back of "The templates could not be
applied. One or more the templates are not applicable. Click Back and
select different templates, and then try again." In case you need to
know
the platform, I'm working with Windows 2003 (RTM)

Just to make sure I understand you right, here is the template.

[template161]
AppliesToClasses=domainDns,organizationalUnit,container
Description = "Personnel - User Management"
ObjectTypes = user

[template161.user]
Web-Information=WP
Public-Information=WP

"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:%23%23t5PFu5EHA.992@TK2MSFTNGP12.phx.gbl...
you should treat the property sets just like permissions for properties
in
the delegwiz.inf file.
should work when you use the cn of the property, not the display name
(e.g.
"Personal-Information" for the "Personal Information" propset).

Even though they're not treated as Extended Rights (ControlRights) in
the
Delegation Wizard, they are defined as an Extended Right in the Config
NC,
where you can also see the cn's of the property sets:
CN=Extended-Rights,CN=Configuration,DC=YourRoot

/Guido

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:OQN%23Uaf5EHA.2664@TK2MSFTNGP10.phx.gbl...
I've been reading through the Active Directory delegation whitepaper
published by Microsoft and one of the recommendations is try to stick
to
right delegation based on property sets since activating individual
properties may not be desirable. Unfortunately the paper does not
cover
is
how to delegate Property Sets via the delegwiz.inf. The paper is very
clear
that Property Sets are not Extended Rights. So what should them
template
look like if I wanted to delegate the "Public Information" and or "Web
Information" property sets?

Thanks...







Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB