Correct - however certain things in this tab do update the userProperties-Attribute. This attribute does not hold clear data. So depending on the attributes and their requirements you'll have to use other things than LDP/ADSIEdit or generic scripting without using the supported interfaces.
Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Freitag, 1. Dezember 2006 01:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate VPN rights Keep in mind that this is only via the ADUC UI - since you have already delegated this to the user you can use ldp\script etc.. to set the msNPAllowDialin == true. It should reflect properly in ADUC when you next view that user.. spat ----- Original Message ----- From: Ulf B. Simon-Weidner <mailto:[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: Thursday, November 30, 2006 2:18 PM Subject: RE: [ActiveDir] Delegate VPN rights Hi Ben, the entire Dial-In Tab doesn't allow granular delegation - you need to delegate everything which is on the tab since it's writing back all attributes on the Tab no matter what. If you feel this is wrong open up a case with PSS and line up in the row of customers which want this changed. I've had a Critical Design Change Request with an Insurance Group about this, however it was not requested by other customers at this time and therefore not changed for a single customer. Some Infos I've wrote once about this issue: http://www.windowsserverfaq.de/faq/DialInTab.asp Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: <blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F 2F1214C811D> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: <blocked::http://msmvps.org/UlfBSimonWeidner> http://msmvps.org/UlfBSimonWeidner Website: <blocked::http://www.windowsserverfaq.org/> http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Donnerstag, 30. November 2006 18:35 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate VPN rights I'm attempting to delegate out the permissions to adjust the Remote Access Permissions under the Dial-In tab in Active Directory for user accounts. When performing an LDAP query, I notice that changes to this setting are recorded in the msNPAllowDialin attribute. Set to False when Deny Access is set, True when Allow Access is set, and "not set" when Control Access through Remote Access Policy is set. However when I attempt to delegate out the rights to a security group so they can modify this, it is not listed as a selectable property. Am I missing something here? Should I be looking for a different property to delegate out this right? Thanks, ~Ben Watson
