I'm currently attempting to allow an administrator of a delegated OU (so, full-control in test and as-good-as in production to a specific OU, but not a domain admin), to trust computers for delegation to specific services on other computers. This particular case is in relation to exchange.
When he attempts to add a server on the 'delegation' tab, he can click the 'trust this computer for delegation to specified services only' and 'use any authentication protocol' radial buttons, and add the relevant service and computer, but receives an 'access is denied' when he attempts to apply.
As a domain admin I can do it just fine. According to these technet articles:
http://technet.microsoft.com/en-us/library/cc739764(v=ws.10).aspx
'or you must have been delegated the appropriate authority'
http://technet.microsoft.com/en-us/library/cc780217(v=ws.10).aspx
'To delegate this right, assign the Enable computer and user accounts to be trusted for delegationuser right to the selected individuals'
In detail here:
http://technet.microsoft.com/en-us/library/cc960177.aspx
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation
Suggests it may be possible to delegate this access without making him a domain admin? However when I tested a user with:
- full control to the server object
- full control to the the destination/trusting server object
- and the specified computer group policy setting applying to the selfsame user
- after a gpupdate,
the same access denied message is returned.
The reason I want to avoid needing domain admin credentials for this is that we have several delegated server and application teams in a single domain, ideally they should be able to configure their own servers to the fullest extent including settings like this, while being unable to touch other teams servers.
The closest related question involves setting delegation to any service, for kerberos only, which is a modification to user account control via vbscript:
This is probably less granular than required, and ironically even though my test user can read and write the useraccountcontrol attribute for the object in question according to 'effective permissions' from advanced security, the access can still not be configured through the AD delegation tab radial button 'Trust this computer for delegation to any service (Kerberos only)'. Trying to modify via ldifde returns:
Add error on entry starting on line 1: Insufficient Rights
The server side error is: 0x522 A required privilege is not held by the client.
The extended server error is:
00000522: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Please don't hesitate to let me know if I can clarify.
Cheers, Bruno