General discussion


Delegation and Inheritance

By Curt ·
I'm delving into MS Active Directory for the first time, and I've run into a road block regarding how delegation and inheritance mix. I'm reading the 70-640 Microsoft book for anyone that wants to follow along. I've already posted into a MS forum, so for efficiency, I'll just copy/paste:

Hi all. I have what is likely a very simple question, but as I'm just starting out, nothing is obvious.

I'm reading the 70-640 book on Active Directory and I'm trying to understand how ACEs applied to OUs really work. I think the best way to ask my question is by example. I'm on pp 78 (Ch 2, Lsn 3, Ex 1) and I'm delegating the "reset password" ACE to the "Help Desk" OU, so Barbara Mayer, being a member of the "Help Desk" OU can now reset passwords. That's great.

So I'm thinking, from now on, all my help desk employees are going to be able to reset passwords, which sounds good to me, so I add Dan Holmes to the group "Help Desk", check his effective permissions, and Dan can't reset passwords !?! What did I just miss?

At this point I'm thinking I have to keep a spread sheet of every ACE I apply to every OU so that I can reapply those ACEs to new members of OUs which seems totally crazy so I know I missing something here. Can someone please explain what I'm not understanding? Thanks.

Part 2 -------------------------------
I've made it to the end of Chapter 2, and I think I understand what's going on, but it still doesn't seem reasonable. When I started, I thought I was giving users in the "Help Desk" OU the permission to reset other users passwords (which is apparently wrong). Now, it appears to me that I was actually giving users the privilege of having their password changed by someone in the Help Desk group. So if I add a new user, I can automatically know that existing Help Desk OU members will be able to change the new users password, but if I add somone to the the Help Desk OU, that new member of the Help Desk OU will not be able to change any users passwords regardless of when I add them. This still seems really strange.... so now I need to keep track of what ACE I've applied to what OU, and reapply the ACE using the ACE Wizzard each time I make a user part of an existing OU. This is totally crazy!!!

Can someone show me where I'm going wrong? Thanks in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Repost as 'Q&A'

by CharlieSpencer In reply to Delegation and Inheritanc ...

Try reposting this in the 'Q&A' forum. The 'Discussion' forum is for matters of general discussion, not specific problems in search of a solution. The 'Water Cooler' is for non-technical discussions. You can submit a question to 'Q&A' here:;content

There are TR members who specifically seek out problems in need of a solution. Although there is some overlap between the forums, you'll find more of those members in 'Q&A' than in 'Discussions' or 'Water Cooler'.

Be sure to use the voting buttons to provide your feedback. Voting a '+' does not necessarily mean that a given response contained the complete solution to your problem, but that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours. If they have a ready source of reference available, perhaps won't need to repeat questions previously asked and answered. If a post did contain the solution to your problem, you can also close the question by marking the helpful post as "The Answer".

Collapse -


by Curt In reply to Delegation and Inheritanc ...

Thanks. I'll do it.

Related Discussions

Related Forums