Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD Delegate Control doesn't like me... 1

Status
Not open for further replies.
cckens

cckens

IS-IT--Management
Jun 11, 2008
194
US
OK, I've run a check of threads in the whole of TekTips and no thread addresses this issue at length... so here goes.

Sitrep:
I'm slowly taking control of a small company's IT, getting my bearings on the network while still being tasked with "To Do's" that they want done. The IT management company still has monitoring of the network and devices (for now) and their agent is still in place on the server, but I have full domain admin access to the network and all DCs. I am now tasked with setting up a way for users to change their personal information in the GAL. Simple, so I thought. The actual app to do the change is irrelevant, it's getting AD to recognize the changes I've made so that users have the appropriate permissions...

Environment:
2k3 servers, 2 DCs, I have domain admin priviledge.

Tried:
Delegate control - Self, Custom Task, User Objects:
Property specific: read/write Phone/Mail, RW Personal information - No effect
General: selected the indiviual properties for items (i.e. Address, Phone) - No effect

I've tried GALMOD32 and Windows Address Book to do a basic edit on my standard user account, and "it no likey." I know it takes time for the changes to propogate, but I've been banging my head for the last 24hours waiting for these changes to take effect and no go.
Anyone think of a reason why it wouldn't?

cckens

"Not always my best shot, but I hit the target now and then"
-me
 
Sort by date Sort by votes
The actual app to do the change is irrelevant
Click to expand...
Not true. Knowing which app may help in determining what's going on.

If both DCs are local, there is no propogation lag. It does take time for the GAL to be rebuilt, which happens once per day (by default). However, you can go in and view it within ESM to see if your changes have been made.

You don't mention WHAT information is being changed. If it's info such as contact info, department, etc, then that's AD info, not really GAL info. You should see changes there right away.

The method I really like using is
which works great*. Not only can you define which fields can be changed, but you can use pull down menus, radio buttons, etc. If also uses AJAX for lookup on some fields like manager and assistant names. Check out the demo.

* - Disclaimer - The app is written by a company owned by another MVP, someone I'd consider a friend. I receive nothing for this endorsement of the product. I mention it only because I use it in various installations, and it's been great.

Pat Richard MVP
 
Upvote 0 Downvote
Pat,
Standard employee contact data for the most part, address, phone, city/state/zip. This is why I say app is irrelevant as any number of apps (both web and standalone) just access AD using existing credentials and allow what SELF will allow.

Both DCs are local (one PDC, one BDC). I made the first (of many) change(s) yesterday and it never crystallized into AD. I tried this morning to make sure that I could change the data on my standard user account. No good. So then I tried again and am going to wait it out til tomorrow to see if it takes. In the meantime I've been reading anything and everything that I can to see what might be going on in Delegate control. Maybe I missed a dialog or something, I don't know.

As for Directory update, I've read up on it and for the money it would be one app that I'd consider investing in, if that were an option. I'm trying to do this on the cheap as I don't really have a budget for new software so I have to write off any option that goes above (say) $0. I've found a web based app (rDirectory Community Edition) that has what I want for now and is free. I just need for AD to recognize that SELF has the ability to change it's own contact information. And that's the part that is killing me.

BTW, I can't find the information in ESM, but ADUC can show the info, it just doesn't seem to know that I've done it. Unless you're talking about the security properties (Advanced) of the mailbox store, in which case it doesn't show the change.

cckens

"Not always my best shot, but I hit the target now and then"
-me
 
Upvote 0 Downvote
As for your last paragraph, I'm a little confused. You say you can see the info in ADUC. Does that mean that you make a change, and you see the change in ADUC? If that's the case, and you've waited the minimum 48 hours for it show up in Outlook (assuming cached mode), it's NOT showing up there?

Pat Richard MVP
 
Upvote 0 Downvote
I guess I'm not as clear as I thought I was...

What I meant was that I can find where the permissions are supposed to be showing, but no changes have been registered in AD even after I use the Delegate control wizard. This is what confuses me.

From what I know, if I make a change to the contact properties using GALMOD32, and the permissions are set correctly by Delegate Control, then the changes should show up immediately in ADUC if I look up the user. This is not happening.

I guess my question is, is there a manual way to set up the permissions without using Delegate Control? I suppose that I could create a Group Policy specifically for the OU in which the users reside. Mind, this is a small company (20 or so users with 30 or so machines) and there is only one OU for users (not the builtin users group). Domain Admin rights are assigned singly on only 3 user accounts in that OU (myself, my manager, and the outsource monitoring account). It's rather frustrating to say the least.

It's also a thought that any changes that I make to AD are being removed by the outsource or some policy they set up... I just don't know.

cckens

"Not always my best shot, but I hit the target now and then"
-me
 
Upvote 0 Downvote
I think I have it figured out...

Stupid me... I didn't have the advanced features setup (view->Advanced Features) in ADUC so I couldn't see what I needed to see (even though I THOUGHT I could see what I needed to see). Why this would have any effect on exactly what I needed to do, I have no idea, but suffice it to say, it works now.

I checked the rights for an individual user and found that what I set yesterday (and the day before) didn't exist, so
I went back into Delegate Control and re-added Personal information (R/W) and Phone and Mail (R/W) to SELF. Now, viola! I can get in using rDirectory and change the contact info on my standard user account. I tested with another user and she was able to modify her info as well.

Pat, thanks for suffering through my mental gyration and for making me actually THINK it through. Star for you for being the voice of reason!

cckens

"Not always my best shot, but I hit the target now and then"
-me
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
637
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
260
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
418
DTGMI
DTGMI
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
443
fightaccording
fightaccording
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
866
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top