none
Active Directory Server 2008R2 - You do not have permission to modify the group $%#

    Question

  • Hello,

    We have recently upgraded to Server 2008 R2, our old enviroment was Server 2003. We have deligated permissions to our Help Desk staff so they can add certain groups in certain OU's, but they are denied to add groups in other OU's. In server 2003 they  get the message "You do not have permission to modify the group 'group name'" with the actual group name displayed (helpful if they know what group they need us sysadmins to allow). However with the new Server 2008 R2 they get the error message "You do not have permission to modify the group $%#" followed by what I think are chinese letters.

    I have looked here:

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/713cc96f-1a50-4d60-8a31-25f7c51344b0

    http://chrisbeams.wordpress.com/2010/05/08/you-do-not-have-permission-to-modify-the-group/

    But the answers unfortunately don't make sense to me. It's as if AD won't allow the Help Desk to even read the group name. I've tried granting full read rights but this didn't resolve the problem. I don't want to grant them access to add these groups, but it would be nice for them to know the names of the groups they can't add.

    Many thanks for any suggestions

    Karen

    Monday, February 06, 2012 1:40 PM

Answers

  • I reproduced this message, too. Apparently it appears to be a bug.

    1. The error showed up when I was in the user's properties, Member tab. I didn't allow me to add the group to the user. 3
    2. I also wasn't able to add the user to the group using ADAC.
    3. However, through the group properties, Member tab, I was able to add the user.

    You can see my steps and screenshots during my testing procedure, below. Yea, I just blogged it, thinking if someone else wants to try it just in case I missed something in the steps. And if you find I made a mistake, or anything at all, please let me know. All critique is welcomed!

    Active Directory Server 2008 R2 - You do not have permission to modify the group %$# (Unknown Japanese or Chinese characters)
    Published by acefekay on Feb 7, 2012 at 10:51 AM 
    http://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 07, 2012 6:37 PM
  • Hi all,

    Yes, this message box display behavior is a bug and easily reproduced (no need to delegate; just give a standard user local admin rights on their computer so that they can run DSA.MSC/DSAC.EXE, then have them try to edit any domain group - you'll see the double-byte weirdo characters instead of the expected canonical group name).

    If anyone here has a Premier contract, please open a support cased and file a DCR. It's already resolved in Windows 8, but unless a customer opens a DCR with us through official channels, there won't be any justification to fix it in the older operating system. Especially since it's cosmetic and doesn't impact the actual user's functionality - they know what group they are trying to edit and can tell whomever needs to give them correct permissions. The message box's inability to tell you the group has no bearing on the actual permissions - if they are wrong in any way, this message will show. If they are correct, it won't.

    Sorry for any inconvenience,

    (PS: nice work writing all that down Ace. That's why MVPs rock)


    Ned Pyle [MSFT] Enterprise Platforms Support - DS



    Wednesday, February 08, 2012 6:16 PM

All replies

  • Karen,

    What permissions does the HelpDesk staff have for the group in question? You seem to imply that the problem surfaces even with Full Control permission to the group - is this correct?

    What OS version is being used to modify the group membership? Are you seeing this while running ADUC on servers as well as on desktops (assuming that in both cases you are using the same account)?

    hth
    Marcin

    Monday, February 06, 2012 3:46 PM
  • Hi Marcin,

    1) The Help Desk have no rights on the group they are trying to add. I have tried granting them full read rights to the groups (because we don't want to grant them full permissions), but this did not resolve the issue.

    On groups they are allowed to add they have rights "Read Members" "Write Members".

    2)The OS version with the issue is Server 2008 R2. But on the same account on Server 2003 they have no issues and the group name displays. This is what users get on the server 2003:

    I hope this answers your questions.

    Thanks

     

    Monday, February 06, 2012 4:04 PM
  • Hmm. When you look at the group's security tab, advanced, what are the effective permissions?

    Also, in conjunction with "Read Members" and "Write Members," you may also need 'Modify."

    Also:

    We have deligated permissions to our Help Desk staff so they can add certain groups in certain OU's, but they are denied to add groups in other OU's

    Was the Help Desk group also delegated permissions to the those other OUs?

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, February 06, 2012 4:21 PM
  • Hi Ace,

    There are no deligated permissions on the OU's because we don't want to give them access to them.

    To try and solve this problem I did try to grant them all read properaties on the OU, but that didn't help.

    I think this post is getting a bit mixed up, so I'll state my problem again for clarification.


    We don't want to give the Help Desk any delegated rights on these groups, but when they try and add a group they don't have permissions on they get the error message:

    "You do not have permission to modify the group $%#"

    instead of:

    "You do not have permission to modify the group 'group name'" with the actual group name displayed

    I hope this clears up the problem.

     

    Thanks

    Monday, February 06, 2012 4:46 PM
  • Just a guess, and it will take me awhile to test, but might one OS be displaying the canonicalName of the group, while the other is attempting to display the sAMAccountName? I assume there are no unusual (foreign) characters that might prompt the GUI it attempt to encode.

    Also, you are not adding groups, you are attempting to add members to a group where you lack permissions (but you have permissions to read).

     


    Richard Mueller - MVP Directory Services
    Monday, February 06, 2012 4:49 PM
  • Also, you are not adding groups, you are attempting to add members to a group where you lack permissions (but you have permissions to read).

     


    Richard Mueller - MVP Directory Services

    Yes sorry I see my text wasn't exactly explicit. When trying to add users to groups we get this message.

    There are no unusual characters, I've tested it on a group name named Test and it also didn't work.

    Monday, February 06, 2012 4:53 PM
  • Dumb question on my part, but have you tried the Managed By option in the group's properties?

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, February 06, 2012 5:04 PM
  • How exactly do your HelpDesk staff members go about adding users to groups? In other words, what steps do the go through when getting the error message displayed  above?

    It appears that you are adding users to groups via Member Of tab - correct? If so, I'm seeing the same behavior - so this appears to be a bug in the interface.

    hth
    Marcin

    Monday, February 06, 2012 5:17 PM
  • And are you using the Member tab of the group, or the MemberOf tab of the user?

     


    Richard Mueller - MVP Directory Services
    Monday, February 06, 2012 5:25 PM
  • Richard,

    this is Member of tab on the properties of the user account - without proper permssions, Add command button on the Membes tab is grayed out...

    cheers,
    Marcin

    Monday, February 06, 2012 5:29 PM
  • Hello,

     

    As a additional info:

    You can add more template to your delegwiz.inf file.

    Go to the directory %windir%\Inf (in windows Server 2008 or later %windir%\system32) and copy delegwiz.inf file from here to your delegwiz.inf file (you must have permission to change and save this file).

    Modify the membership of a group (template 5) & Modify group membership (template 30).

     

     

    If you ask us, what is for example WP or RP and etc., here is your answer:

     

    CA = Control Access
    CC = Create all child Objects
    DC = Delete all Child Objects
    DT = Delete Subtree
    GA = Generic All
    GE = Generic Execute
    GR = Generic Read
    GW = Generic Write
    LC = List Contents
    LO = List Object
    RC = Read permissions
    RP = Read all Properties
    SD = Delete
    WD = Modify Permissions
    WO = Modify Owner
    WP = Write all Properties
    WS = Write Self

     

    Regards

    Monday, February 06, 2012 5:48 PM
  • This issue can be caused due to the permissions under Security tab are modified incorrectly.Please use delete control wizard to reassign the permissions or correct the permissions under Security tab manually.

    Note:Delegate Control Wizard Cannot Be Used to Remove Groups or Users

    http://support.microsoft.com/kb/229873

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, February 07, 2012 7:49 AM
  • Hi,

    Marcin - Your correct, the Help Desk staff are using the User Member of tab to add the groups, if they use the Group member of tab the option is grayed out. Nice to know I'm not the only one with the issue.

    Ace - I granted our Help Desk rights on a group via the Managed by tab and the error still occurs and the name of the group is still displayed as chinese characters.

    Sandesh - I don't want to grant our Help Desk staff rights on the OU, because they shouldn't have rights to add these groups to users.

    Thanks for the suggestions so far.

    Karen
    Tuesday, February 07, 2012 8:51 AM
  • I can also reproduce this bug.

    I can only assume there is a problem with the relevant resource string, which if true, means there's nothing you can easily do to resolve this.

    Hopefully a Microsoft representative can take the time to make a note of it and forward it on - assuming they too can reproduce it.

    As a reference point, my environment is:

    • Server 2008 R2 with SP1
    • Windows 7 x64 with SP1
    • RSAT for Windows 7 with SP1

    Cheers,
    Lain

    Tuesday, February 07, 2012 11:23 AM
  • I reproduced this message, too. Apparently it appears to be a bug.

    1. The error showed up when I was in the user's properties, Member tab. I didn't allow me to add the group to the user. 3
    2. I also wasn't able to add the user to the group using ADAC.
    3. However, through the group properties, Member tab, I was able to add the user.

    You can see my steps and screenshots during my testing procedure, below. Yea, I just blogged it, thinking if someone else wants to try it just in case I missed something in the steps. And if you find I made a mistake, or anything at all, please let me know. All critique is welcomed!

    Active Directory Server 2008 R2 - You do not have permission to modify the group %$# (Unknown Japanese or Chinese characters)
    Published by acefekay on Feb 7, 2012 at 10:51 AM 
    http://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 07, 2012 6:37 PM
  • Hi all,

    Yes, this message box display behavior is a bug and easily reproduced (no need to delegate; just give a standard user local admin rights on their computer so that they can run DSA.MSC/DSAC.EXE, then have them try to edit any domain group - you'll see the double-byte weirdo characters instead of the expected canonical group name).

    If anyone here has a Premier contract, please open a support cased and file a DCR. It's already resolved in Windows 8, but unless a customer opens a DCR with us through official channels, there won't be any justification to fix it in the older operating system. Especially since it's cosmetic and doesn't impact the actual user's functionality - they know what group they are trying to edit and can tell whomever needs to give them correct permissions. The message box's inability to tell you the group has no bearing on the actual permissions - if they are wrong in any way, this message will show. If they are correct, it won't.

    Sorry for any inconvenience,

    (PS: nice work writing all that down Ace. That's why MVPs rock)


    Ned Pyle [MSFT] Enterprise Platforms Support - DS



    Wednesday, February 08, 2012 6:16 PM
  • Hello Ace,

    Thanks for your great article, very good description.

    Regards

    Thursday, February 09, 2012 12:22 AM
  • Hi all,

    Yes, this message box display behavior is a bug and easily reproduced (no need to delegate; just give a standard user local admin rights on their computer so that they can run DSA.MSC/DSAC.EXE, then have them try to edit any domain group - you'll see the double-byte weirdo characters instead of the expected canonical group name).

    If anyone here has a Premier contract, please open a support cased and file a DCR. It's already resolved in Windows 8, but unless a customer opens a DCR with us through official channels, there won't be any justification to fix it in the older operating system. Especially since it's cosmetic and doesn't impact the actual user's functionality - they know what group they are trying to edit and can tell whomever needs to give them correct permissions. The message box's inability to tell you the group has no bearing on the actual permissions - if they are wrong in any way, this message will show. If they are correct, it won't.

    Sorry for any inconvenience,

    (PS: nice work writing all that down Ace. That's why MVPs rock)


    Ned Pyle [MSFT] Enterprise Platforms Support - DS



    Thanks, Ned! I thought to give it a nice graphic twist documenting it. :-) 

    And btw, your articles Rock! I reference them all the time! :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 09, 2012 4:25 AM
  • Hello Ace,

    Thanks for your great article, very good description.

    Regards

    Thank you, and wou are welcome, Patris!  :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 09, 2012 4:26 AM