RE: RE: [ActiveDir] Delegation of Callback-Number
Agreed that it'll take some time to get the fix. TS'ing for administration: quite easy - customer is not ready yet to roll out XP (currently on NT) and the same helpdesk is supporting NT applications as well. And did I mention there are site admins as well, who have the least rights but are spread out in germany on a lot of sites and they are covering subsites as well. They had the choice of a second workplace (second laptop to carry around for the site admins), new software, self developed stuff, asp-pages for the admintasks, or using a citrix server where they had about 100 licences left over and the hardware was already there too. So we made a custom ADUC for their tasks and we were putting in on the TS. I would have preferred the webbased administration, but it was their decision since the solution is needed interim anyways. I'm quite sure that the patch will be available faster than them deploying XP - and since it only affects the ADUC we won't have a lot of issues there betatesting the QFE in a test environment first then put it onto a testmachine in production. Ulf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 10, 2004 2:36 AM To: [EMAIL PROTECTED] Subject: RE: RE: [ActiveDir] Delegation of Callback-Number Even if MS agrees to fix it, which can take quite a while to get that agreement. It could be yet another while to get the buddy drop and if your customer isn't willing to install the buddy in production (perfectly understandable) they get to wait even longer for the official QFE. And what's this about the help desk TS'ing into a server to do admin work (smack of my palm to my forehead...). joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 09, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: Re: RE: [ActiveDir] Delegation of Callback-Number Yes - it's a confirmed bug in the interface. When opening the page it checks the allowedattributeseffective and enables the box, when clicking OK it want's to write unchanged stuff which was not delegated and therefore receives an access denied from AD. It's definitelly a problem of the tab and not of layer 8. However, programmatically changing is not OK for this customer since administration is delegated and ADUC is available on the Terminal Server. Would be a work around what we might take if absolutely necessary, but as far as I understood the escalation engineer at PSS they are willing to fix this issue if there's a need for it - so I'm searching for other companies who want to have the callbacknumber set by the helpdesk but the other RAS-Properties by another department (it violates the companies policies if the general helpdesk would be able to assign the permissions to dial in). Ulf joe [EMAIL PROTECTED] schrieb am 09.07.2004, 04:19:29: Hey Ulf - can you just script it? joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, July 07, 2004 6:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of Callback-Number Hi there, I have a customer who where we implemented the least permissions necessary for each group fulfilling administrative tasks. One of those tasks is that they are required that just a small group has the permissions to grant RAS permissions, and every useraccount is forced to be called back to a previously set number. To scale that solution better, the user-helpdesk should be able to change the callback-number, but they are not allowed to do anything else in the RAS-Permissions. Those are the requirements. Point. Couple month ago I discovered some bugs in the ADUC Dial-In Tab. After installing a hotfix that allows non-administrator accounts to see the dialin-tab and figuring out that I need to set the permissions for the helpdesk for the msRadiusCallbackNumber and the userProperties attributes I figured that there's an additional bug in the tab: the helpdesk is now able to change the Callback-Number in the interface, however as soon as they click on Apply or OK there's an error that the rights are not sufficient. This is a bug, which is verified by Microsoft. The only way to delegate the permissions on the RAS Tab - due to the bug - is to grant the group full permissions on everything of the RAS-Tab. This is not acceptable in our case. Now comes why I'm posting: We have a open call at PSS, already did a CDCR and political impact, but MS told us that they think it's not a option requested by customers and they need at least another customer with that requirement to fix that. I do not believe that we are the only ones with that request - however I do believe that those out there who had a request like that stopped early in the process instead of going the way through. So if anyone of you knows a company which has those
RE: RE: [ActiveDir] Delegation of Callback-Number
Even if MS agrees to fix it, which can take quite a while to get that agreement. It could be yet another while to get the buddy drop and if your customer isn't willing to install the buddy in production (perfectly understandable) they get to wait even longer for the official QFE. And what's this about the help desk TS'ing into a server to do admin work (smack of my palm to my forehead...). joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 09, 2004 10:12 AM To: [EMAIL PROTECTED] Subject: Re: RE: [ActiveDir] Delegation of Callback-Number Yes - it's a confirmed bug in the interface. When opening the page it checks the allowedattributeseffective and enables the box, when clicking OK it want's to write unchanged stuff which was not delegated and therefore receives an access denied from AD. It's definitelly a problem of the tab and not of layer 8. However, programmatically changing is not OK for this customer since administration is delegated and ADUC is available on the Terminal Server. Would be a work around what we might take if absolutely necessary, but as far as I understood the escalation engineer at PSS they are willing to fix this issue if there's a need for it - so I'm searching for other companies who want to have the callbacknumber set by the helpdesk but the other RAS-Properties by another department (it violates the companies policies if the general helpdesk would be able to assign the permissions to dial in). Ulf joe [EMAIL PROTECTED] schrieb am 09.07.2004, 04:19:29: Hey Ulf - can you just script it? joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, July 07, 2004 6:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Delegation of Callback-Number Hi there, I have a customer who where we implemented the least permissions necessary for each group fulfilling administrative tasks. One of those tasks is that they are required that just a small group has the permissions to grant RAS permissions, and every useraccount is forced to be called back to a previously set number. To scale that solution better, the user-helpdesk should be able to change the callback-number, but they are not allowed to do anything else in the RAS-Permissions. Those are the requirements. Point. Couple month ago I discovered some bugs in the ADUC Dial-In Tab. After installing a hotfix that allows non-administrator accounts to see the dialin-tab and figuring out that I need to set the permissions for the helpdesk for the msRadiusCallbackNumber and the userProperties attributes I figured that there's an additional bug in the tab: the helpdesk is now able to change the Callback-Number in the interface, however as soon as they click on Apply or OK there's an error that the rights are not sufficient. This is a bug, which is verified by Microsoft. The only way to delegate the permissions on the RAS Tab - due to the bug - is to grant the group full permissions on everything of the RAS-Tab. This is not acceptable in our case. Now comes why I'm posting: We have a open call at PSS, already did a CDCR and political impact, but MS told us that they think it's not a option requested by customers and they need at least another customer with that requirement to fix that. I do not believe that we are the only ones with that request - however I do believe that those out there who had a request like that stopped early in the process instead of going the way through. So if anyone of you knows a company which has those requirements and would like to have that fixed, contact me asap to see if we are able to get that fixed. As far as I was told from PSS they'd like to get that fixed too but are unable to assign developer-resources for it if it's not requested by the market. This issue bugs me since the beginning of the year :-( Gruesse - Sincerely, Ulf B. Simon-Weidner -- GrĂ¼sse - Sincerely, Ulf B. Simon-Weidner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegation of Callback-Number
Hey Ulf -can you just script it? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Wednesday, July 07, 2004 6:32 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Delegation of Callback-Number Hi there,I have a customer who where we implemented the least permissions necessary for each group fulfilling administrative tasks. One of those tasks is that they are required that just a small group has the permissions to grant RAS permissions, and every useraccount is forced to be called back to a previously set number. To scale that solution better, the user-helpdesk should be able to change the callback-number, but they are not allowed to do anything else in the RAS-Permissions.Those are the requirements. Point.Couple month ago I discovered some bugs in the ADUC Dial-In Tab. After installing a hotfix that allows non-administrator accounts to see the dialin-tab and figuring out that I need to set the permissions for the helpdesk for the msRadiusCallbackNumber and the userProperties attributes I figured that there's an additional bug in the tab: the helpdesk is now able to change the Callback-Number in the interface, however as soon as they click on Apply or OK there's an error that the rights are not sufficient.This is a bug, which is verified by Microsoft.The only way to delegate the permissions on the RAS Tab - due to the bug - is to grant the group full permissions on everything of the RAS-Tab. This is not acceptable in our case.Now comes why I'm posting:We have a open call at PSS, already did a CDCR and political impact, but MS told us that they think it's not a option requested by customers and they need at least another customer with that requirement to fix that. I do not believe that we are the only ones with that request - however I do believe that those out there who had a request like that stopped early in the process instead of going the way through.So if anyone of you knows a company which has those requirements and would like to have that fixed, contact me asap to see if we are able to get that fixed. As far as I was told from PSS they'd like to get that fixed too but are unable to assign developer-resources for it if it's not requested by the market.This issue bugs me since the beginning of the year :-( Gruesse - Sincerely, Ulf B. Simon-Weidner
[ActiveDir] Delegation of Callback-Number
Hi there, I have a customer who where we implemented the least permissions necessary for each group fulfilling administrative tasks. One of those tasks is that they are required that just a small group has the permissions to grant RAS permissions, and every useraccount is forced to be called back to a previously set number. To scale that solution better, the user-helpdesk should be able to change the callback-number, but they are not allowed to do anything else in the RAS-Permissions. Those are the requirements. Point. Couple month ago I discovered some bugs in the ADUC Dial-In Tab. After installing a hotfix that allows non-administrator accounts to see the dialin-tab and figuring out that I need to set the permissions for the helpdesk for the msRadiusCallbackNumber and the userProperties attributes I figured that there's an additional bug in the tab: the helpdesk is now able to change the Callback-Number in the interface, however as soon as they click on Apply or OK there's an error that the rights are not sufficient. This is a bug, which is verified by Microsoft. The only way to delegate the permissions on the RAS Tab - due to the bug - is to grant the group full permissions on everything of the RAS-Tab. This is not acceptable in our case. Now comes why I'm posting: We have a open call at PSS, already did a CDCR and political impact, but MS told us that they think it's not a option requested by customers and they need at least another customer with that requirement to fix that. I do not believe that we are the only ones with that request - however I do believe that those out there who had a request like that stopped early in the process instead of going the way through. So if anyone of you knows a company which has those requirements and would like to have that fixed, contact me asap to see if we are able to get that fixed. As far as I was told from PSS they'd like to get that fixed too but are unable to assign developer-resources for it if it's not requested by the market. This issue bugs me since the beginning of the year :-( Gruesse - Sincerely, Ulf B. Simon-Weidner
