Question
-
Topic
-
Delegation and Inheritance
LockedReposting as I posted in the wrong forum first time (sorry about the duplication).
Edit: Used the term “OU” where I should have used the term “group” when referring to the “Help Desk” item.I’m delving into MS Active Directory for the first time, and I’ve run into a road block regarding how delegation and inheritance mix. I’m reading the 70-640 Microsoft book for anyone that wants to follow along. I’ve already posted into a MS forum, so for efficiency, I’ll just copy/paste:
Part1——————–
Hi all. I have what is likely a very simple question, but as I’m just starting out, nothing is obvious.I’m reading the 70-640 book on Active Directory and I’m trying to understand how ACEs applied to groups really work. I think the best way to ask my question is by example. I’m on pp 78 (Ch 2, Lsn 3, Ex 1) and I’m delegating the “reset password” ACE to the “Help Desk” group, so Barbara Mayer, being a member of the “Help Desk” group can now reset passwords. That’s great.
So I’m thinking, from now on, all my help desk employees are going to be able to reset passwords, which sounds good to me, so I add Dan Holmes to the group “Help Desk”, check his effective permissions, and Dan can’t reset passwords !?! What did I just miss?
At this point I’m thinking I have to keep a spread sheet of every ACE I apply to every group so that I can reapply those ACEs to new members of groups which seems totally crazy so I know I missing something here. Can someone please explain what I’m not understanding? Thanks.
Part 2 ——————————-
I’ve made it to the end of Chapter 2, and I think I understand what’s going on, but it still doesn’t seem reasonable. When I started, I thought I was giving users in the “Help Desk” group the permission to reset other users passwords (which is apparently wrong). Now, it appears to me that I was actually giving users the privilege of having their password changed by someone currently in the Help Desk group. So if I add a new user, I can automatically know that existing Help Desk group members will be able to change the new users password, but if I add somone to the the Help Desk group, that new member of the Help Desk group will not be able to change any users passwords regardless of when I add them. This still seems really strange…. so now I need to keep track of what ACE I’ve applied to what group, and reapply the ACE using the ACE Wizzard each time I make a user part of an existing group. This is totally crazy!!!—————————–
Can someone show me where I’m going wrong? Thanks in advance.