Chapter 2 MCTS Self-Paced Training Kit for exam 70-640

>

Ok this one is so bizarre and  took me so long to figure it out, I decided to write a post about it.

Here’s the situation. as part of the training for the exam it has you create a people OU and place several users in that OU. Then you will place one of your users in the helpdesk users group. This is then followed by using the delegate permissions wizard to allow helpdesk user to only reset passwords in the OU. with me so far……?

The problem is that it later instructs you to add domain users to the print operators user group so that all user accounts can log on locally to the server and you may perform testing. Well guess what? Print operators is a “protected group” in active directory. This means that any member of the print operators group does not inherit permissions from its parent container. This can be verified in ADUC by turning on advanced settings and viewing the security tab for the user.

image

Therefore your delegation of rights will not work on these accounts. AHHHHHHH!

Ok so you remove domain users from print operators to correct the problem right?

Nope.

By removing domain users from print operators you remove the users from the protected group but you must manually set the user accounts to include inheritable permissions. Then you delegation will work properly….whew!

Oh wait….there’s more. Now your test users can’t log on locally to the server anymore. To resolve this issue, edit the group policy object default domain controllers policy and allow the helpdesk users to log on locally (DON’T EVER DO THIS IN PRODUCTION) but this is a lab and by now you should understand the implications.

Ok so I figured all of this out in chapter two. If I can figure this out, do I really need to keep reading the book or am I good to go on the exam….Yikes!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: