I am trying to delegate rights to unlock accounts in domainA to users in domainB. For some reason, domainB cannot see that the users have been granted rights, and we're getting access denied errors when users in domainB attempt to unlock accounts in domainA.
Configuration is as follows:
- domainA has an OU called Account Resources.
- I've delegated Read All Properties, Write Lockout Time and Read/Write User Account Control rights for the OU Account Resources to a Domain Local group named domainA\OU-Account Resources_LoginAssist.
- User domainB\helpdesk is a member of domainA\OU-Account Resources_loginAssist
Symptoms:
- Checking effective permissions of a user in domainA while logged in to domainA shows that the user domainB\helpdesk has all of the delegated permissions, and should be able to unlock accounts successfully.
- Checking effective permissions of a user in domainA while logged into domainB shows that the user domainB\helpdeskdoes not have the delegated permissions, and should not be able to unlock accounts.
- Actually attempting to unlock an account under the delegated OU while logged in as user domainb\helpdesk fails.
Notes:
- I've tested this scenario in a lab environment and the delegation works as expected.
- Delegating access directly to domainb\helpdesk appears to work as expected.
- The configuration had been working for a period of time. It stopped working at some point over the last week.
- Similar delegation from a second domain seems to have failed at the same time.