sounds to me as if you've not set the permission to
_inherit_ down to existing objects - check in the Advanced tab of the security
editor (the tab that displays the permissions on your OU in ADUC) and see if
your Full Control permission are set for User Objects (which will then
automatically inherit down to user objects within this OU). If you've set the
permission to all object, you'll explicitely have to set the scope of the
permission to apply to "This object and all child objects" (or just to the child
objects) - this will then inherit the permission to objects within the
OU.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Donnerstag, 25. August 2005 10:46
To: Active
Subject: [ActiveDir] OU permissions for user object
Hi,
I've created an OU and I have delegated a security group the
Create/Delete User Object with Full Permissions.
I have also delegated the 'Create, Delete & Manage User Account' right
with F/C
I only want this security group to be able to manage user accounts in this
OU and modify the users details/group membership.
The problem I have is that I can't enable/disable a user or modify the
user's details on an account which already exists.
If I create a new account, I can do all the delegated tasks set, but
on existing accounts I get error messages such as "you have insufficient
rights to perform this operation" or the details are greyed
out.
Any idea's where I can check?
Iain
__________________________________________________
Do You Yahoo!?
Tired
of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com