Questions tagged [delegation]
The delegation tag has no usage guidance.
142
questions
11
votes
2
answers
2k
views
How can I determine what permissions my user is missing for receiving a ZFS dataset?
I have a FreeNAS (11.1-U1) and a FreeBSD (11.1-RELEASE-p6) machine. On the FreeNAS I'd like to zfs receive recursive snapshots as a non-root user with delegated privileges. This appears to work well ...
10
votes
1
answer
1k
views
NS records chicken and egg: NS in the domain it's serving [duplicate]
I've dealt with BIND for years and this has always kind of bugged me.
$ dig google.com ns
;; QUESTION SECTION:
;google.com. IN NS
;; ANSWER SECTION:
google.com. 87046 IN NS ns3....
8
votes
2
answers
2k
views
Risks of Kerberos Delegation
I've been spending hours upon hours trying to learn and understand Windows Authentication, Kerberos, SPNs, and Constrained Delegation in IIS 7.5. One thing I just don't get is why it is "risky" to ...
8
votes
2
answers
3k
views
Is there a way to get Kerberos credentials to delegate twice? Why not?
All my nerdly life, I've dealt with this limitation of Windows Domains
Login - console
Integrated auth to something (usually web app)
My credentials can't move to another server (e.g. database or ...
7
votes
1
answer
5k
views
In Active Directory, how do I delegate write permissions on specific attributes of protected user accounts?
We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone'...
6
votes
2
answers
5k
views
Active Directory Permissions: Delete vs Move
I want our help desk to be able to move user accounts but NOT delete them. Here is the summary of our current permissions set on the affected OU's (this DOES allow them to delete user accounts):
...
5
votes
3
answers
51k
views
BIND: how to delegate subzone to other DNS server?
I'm in the process of migrating from a workgroup served by a BIND9 DNS server, to a AD Domain based on Windows Server 2008 R2, and I'd like to keep using the BIND server until the AD infrastructure is ...
5
votes
4
answers
2k
views
What to do with user mailboxes in Exchange 2003 after they leave organization?
Over the ages we've accumulated mailboxes of users who have since left the company. Due to concerns at the time (they have important stuff in the mailboxes, we need to get to it) the SOP was to leave ...
5
votes
1
answer
6k
views
DNS referral / delegation: which DNS is responsible; How to delegate the right way?
Introduction
I bought the domain earechnung.at with Hetzner and am using my webspace at All-Inkl. I want to use the nameservers of my webhost (All-Inkl).
Zonefiles and Nameservers
As I registered ...
5
votes
2
answers
25k
views
Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers
I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System ...
5
votes
3
answers
6k
views
Delegating account unlock rights in AD
I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the ...
5
votes
1
answer
2k
views
Is there an easy way to set up Active Directory Constrained Delegation for all Domain Controllers
We've worked through configuring AD constrained delegation for a service account in our domain, and we've gotten everything to work in principle. However, to do so we had to set up LDAP delegation to ...
5
votes
1
answer
127
views
Services Accounts
We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable.
I am looking to change this as soon as possible but am fairly new ...
5
votes
5
answers
3k
views
IIS Strategies for Accessing Secured Network Resources
Problem: A user connects to a service on a machine, such as an IIS web site or a SQL Server database. The site or the database need to gain access to network resources such as file shares (the most ...
5
votes
1
answer
2k
views
Different ACLs on two OU's with same "protect object from deletion" setting
Background
After I configured our Active Directory so that the ability to move computers was delegated to helpdesk staff, I started hearing reports that computers would get "stuck" in specific OU's. ...
4
votes
2
answers
212
views
Active Directory, control to users
I'm responsible by Active Directory (AD) where I'm working, and I'm trying to figure out, how can I allow, that sector managers of the company, may add and delete users from its departments respective,...
4
votes
1
answer
440
views
Active Directory write permissions let edit users information but not administrator-users information
In our Active Directory (2008 R2), I used delegation to give permission to edit user information attributes such as phone numbers, title, postal address, ... to a group of non-admin users.
Members of ...
4
votes
2
answers
1k
views
Can windows enable delegation across domains?
I have two domains
foo.local
test.local
I can run powershell hyper-v cmdlets against the test.local hyper-v server if I am using a VM that is in the test.local domain.
Get-VM -ComputerName ...
4
votes
1
answer
289
views
Suggestions For IT Staff Delegation
looking for some suggestions or tips on how to setup our IT admins with delegation and server access. I started at a new organization and saw that every IT staff member is a domain admin. Looks like ...
4
votes
1
answer
7k
views
How to proper delegate domain in BIND for Active Directory servers
I have to delegate domain for AD serwers. Let say example.com and I'm using Bind(dns.bind.com) on CentOS.
I added proprer configuration to named.conf and using A,NS records delegate domain to AD ...
4
votes
3
answers
7k
views
Kerberos Delegation for SQL Bulk insert (access denied)
I have a problem when trying to bulk insert to SQL under the following situation:
Running management studio on Workstation A
SQL Running on Server B
File to bulk upload from located on Server C
When ...
4
votes
1
answer
3k
views
DNS, subdomain, and IPv6 -- possible to add subdomain.example.com NS record to an IPv6 host?
example.com is listed with a registrar -- specifically, answerable.com.
I want to host a subdomain in-house, specifically home.example.com.
I am using an ipv6 gateway, specifically gogo6, to have a ...
4
votes
0
answers
2k
views
Grant Kerberos Constrained Delegation to SQL Server 2012 running as Managed Service Account
I can't see how to grant Kerberos Constrained Delegation for a service identified by a Managed Service Account.
I have a Windows 2008 R2 functional level single domain single forest, two 2008 R2 SP1 ...
4
votes
2
answers
908
views
DNS delegation on same server with DDNS and second slave server
I have two servers running BIND, the first is setup as the master of two zones and the second as a slave for those zones. The zones are example.com and ddns.example.com. I have DDNS running and ...
3
votes
1
answer
5k
views
Can I create DNS records for some hosts, delegate other queries in the same domain to another DNS server?
I have an internal DNS server. I've added a custom record for a domain name that is public.
I want to add local records but keep the public domain name resolved.
For instance :
foo.bar.com = wan ip ->...
3
votes
2
answers
4k
views
Limiting view of Active Directory Users and Computers
I am delegating a group of users to a specific person to be able to keep up with thier account management, and I have delegated them the authority to do this to just this group. Is there a way that I ...
3
votes
5
answers
1k
views
Managing per-user rc.d init scripts
I want to delegate SysV init scripts to each user.
Like the SysV init, each item in ${HOME}/rc.d starting with S will be launched on server start-up with the start argument. The same for the server ...
3
votes
1
answer
6k
views
Cant find "Read Lockout Time" and "Write Lockout Time" for delegation on OU
Trying to delegate permissions to a group on a OU; but cant find 2 properties in special permissions for "User Objects" they are "Read Lockout Time" and "Write Lockout Time" any reason i couldnt see ...
3
votes
1
answer
1k
views
SPNs and Kerberos Delegation
I would like to check my understanding. This is a fully hypothetical scenario below as I am currently studying for a certification.
I have an IIS App Pool with a basic website, which accesses data ...
3
votes
1
answer
235
views
How do I avoid Lame DNS or other issues when switching between 3rd party DNS servers?
I have 800 DNS zones at many different providers, and am trying to centralize them to either UltraDNS or Dynect.
Is is possible for me to configure each NS to nameserverX.MyCompany.com and avoid ...
3
votes
2
answers
2k
views
Mimic delegation of control wizard with PowerShell
I want to delegate control of the TestUsers organizational unit to a user NickA and give the following permissions to it:
Create, delete, and manage user accounts
Reset user passwords and force ...
3
votes
4
answers
249
views
Active Directory Delegation Help
I am trying to get a junior team mate setup with rights on AD to create accounts, change passwords and create emails on exchange. What would be the best way to do this?
I tried half assing a ...
3
votes
3
answers
216
views
End-User AD Management solution [closed]
We've just migrated to a pure Microsoft environment and are looking for an end-user AD management solution.
Ideally we'd like users to be able to manage their personal info in AD. We have ~500 users ...
3
votes
0
answers
334
views
IIS 7.5 connect to a web site using IIS Manager using the current user credentials
I am trying to use IIS Manager to connect to a site or an application but would like to pass through or use the current authenticated user's credentials. There is only a username and password option ...
2
votes
3
answers
3k
views
How long is the update delay when changing nameserver delegation, and how can I test the change?
I just changed our delegated name sever though our registrar (MelbourneIT, if it's important).
The updated nameserver value shows in the whois report - does this mean that the update has completed?
...
2
votes
1
answer
19k
views
With DNS, what is the difference between Delegation, Forwarding, Conditional Forwarding, and Stub zones? [closed]
I am surprised at how many different ways I have read answers to this question and I still don't know the fine differences of the answer.
For each of these similar DNS concepts:
Delegation
...
2
votes
2
answers
133
views
Delegating Administrator Control in AD
My IT environment is growing, and I want to delegate Domain Admin control to specific OU's. This way at each site, the admin in that location can only make changes in his site-specific OU.
In my ...
2
votes
3
answers
2k
views
Can't Promote Server to Secondary Domain Controller
We have a server running Server 2008 R2 as our primary DC. We currently don't have a secondary DC, but are trying to add one. The secondary DC we are trying to use is running Server 2012 R2 Standard.
...
2
votes
3
answers
7k
views
"Permission Denied" creating a new domain-based Dfs root as non-Administrator
I have been tasked to delegate a number of everyday tasks in our domain to a group of technicians which does not have Domain Admins membership. One of these tasks is the creation of new domain-based ...
2
votes
1
answer
257
views
If I authorize someone to send as me though Exchange Online will I see the sent emails?
Lets assume I am the owner of the mailbox "[email protected]" and via the Exchange Online administration I allow the owner of "[email protected]" to send emails as "[email protected]" while I am out ...
2
votes
1
answer
51
views
Delegate Access and Subfolders
Sometimes when a user leaves a company the manager will request access to the former employees mailbox on our Exchange 2013. I can use mailbox delegation to give them full access, but if there are any ...
2
votes
1
answer
185
views
Delegation Permissions to admins in Active Directory/Taskpads
I am trying to provide taskpads to few admins to operate on few tasks delegated to them at OU level.I ran into the following problem;
lets say i delegated access to the admin on OU X and which is ...
2
votes
1
answer
2k
views
In Win/AD, does kerberos authentication require the services accounts to be the same?
I am trying to isolate the cause of a KRB5KDC_ERR_BADOPTION (13) that I am seeing come back in a WireShark trace.
I have set an SPN to associate xxx/server.fqdn:port with the domain account that ...
2
votes
1
answer
6k
views
Delegate "Read" Ability to GPO's
Is there a way to allow a non-administrator to "read" (as in browse and look at the settings) of domain gpo's?
I see in GPMC there is an option to allow delegation of "Read Group Policy Results ...
2
votes
1
answer
558
views
How to enable Kerberos delegation from SQL Server to DFS File Share
I am trying to enable my MSSQL database users to BULK INSERT / OPENROWSET() a CSV file that is stored on our DFS/cifs/smb network shares.
Initial Setup
I have the MSSQL service set to run as a domain ...
2
votes
1
answer
319
views
what happens if the authoritative DNS servers and the NS records don't agree
What happens if the NS records in a zone don't agree with the root nameserver delegation for that same zone? In other words, if a registrar knows that the authoritative nameservers for example.com ...
2
votes
1
answer
441
views
Active Directory, delegating control for specific class
There are objects in my AD that have objectClass set to device, and I would like to delegate control to non-admin users so they will be able to add new and delete existing objects with objectClass set ...
2
votes
1
answer
8k
views
Difference between "Descendant User Objects" and just "User Objects"
i am trying to delegate permissions on a cetain OU to a certain group. All i find is "Descendatn User Objects" and not just "User Objects" ; we have those available in other domain; please do let me ...
2
votes
1
answer
323
views
Why would delegated nameservers ever be different to authoritative nameservers?
If you go on intodns.com and type in stackoverflow.com, the parent server tells me that nameservers for the domain are here:
ns1.serverfault.com. ['198.252.206.80'] [TTL=172800]
ns3.serverfault....
2
votes
2
answers
1k
views
Joining workstations to the domain as a member of Protected Users group (Delegation vs User Rights)
Implementing "Protected Users" and coming across this problem that I couldn't find a solution to anywhere. Cannot join computers to the domain with delegation permissions. Instead "Add workstation to ...