Active Directory - Delegate Remote Access Permission

2011/01/06 | less than 1 minute read |

Here are the steps I completed to do this. And yes it works through ADUC.

ManageDialin Note: this model requires editing the C:\windows\system32\DSSEC.DAT file on the DC that you are running ADUC on. See for more details. In short, some of the rights that need to be delegated are filtered out from the list by default. Edit the file so that these permissions are no longer filtered (set them from 7 to a 0):

1. Set the following values to 0 under the [user] area in the file (not under [computer]): ” msNPAllowDialin=0 msNPCallingStationID=0 msNPSavedCallingStationID=0 msRADIUSCallbackNumber=0 msRADIUSFramedIPAddress=0 msRADIUSFramedRoute=0 msRADIUSServiceType=0

msRASSavedCallbackNumber=0 msRASSavedFramedIPAddress=0 msRASSavedFramedRoute=0”</i>

2. Save the file and then open ADUC / run delegation wizard etc as outlined below.

  1. Specify the group to delegate to (DELG Group)
  2. Select Create a custom task to delegate and select Next
  3. Select Only the following objects in the folder a. User objects
  4. Select Next
  5. Select General and Property-specific under Show these permissions
  6. Select “Read and Write Remote Access Information”
  7. Select the Read and Write checkboxes for all of the following attributes ” msNPAllowDialin msNPCallingStationID msNPSavedCallingStationID msRADIUSCallbackNumber msRADIUSFramedIPAddress msRADIUSFramedRoute msRADIUSServiceType msRASSavedCallbackNumber msRASSavedFramedIPAddress msRASSavedFramedRoute userParameters”

10. Select Next

  1. Review Summary and Select Finish to complete

Leave a comment