none
Can't modify adsiedit Configuration container Security

    问题

  • I have to make a change to the security on the Configuration container for syncing SharePoint 2010 user profiles.  I have already made this change on my domain, and it worked great.  However, I'm trying to make this change on a trusted domain and am unsuccessful.  They gave me a user who is a domain admin, as well as an enterprise admin, and I can connect to the Configuration container, but when I go to the security tab, all the options for adding and modifying permissions are greyed out.  The users who administer the domain normally also have those options greyed out.  Any ideas? 
    2012年6月15日 11:06

答案

  • It can be due to UAC, are you opening ADSIEDIT.MSC using run as administrator. If it doesn't work with the enterprise admin group membership, there is something wrong with the snap-in else it should work with enterprise admin group membership ID. Can you use the same ID to modify any permission directly login to the DC apart from the remote tools like Adminpak/RSAT tool. Reverify the account is the member of the enterprise group or not.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月15日 11:54

全部回复

  • Hello, 

    Please register below dll and try once again.

    Register Schmmgmt.dll

    1. Click Start, and then click Run.
    2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
    3. Click OK when you receive the message that the operation succeeded.


    Regards, Ravikumar P

    2012年6月15日 11:41
  • It can be due to UAC, are you opening ADSIEDIT.MSC using run as administrator. If it doesn't work with the enterprise admin group membership, there is something wrong with the snap-in else it should work with enterprise admin group membership ID. Can you use the same ID to modify any permission directly login to the DC apart from the remote tools like Adminpak/RSAT tool. Reverify the account is the member of the enterprise group or not.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月15日 11:54
  • I would agree with Awinish, if you are using a Vista/Windows 7 machine ensure that you have the elevated permissions.  When you log on as a user on one of these machines, by default your permissions are not as a full admin unless you specifically state runas an administrator.  This is what the UAC does.

    What is UAC
    http://windows.microsoft.com/en-US/windows-vista/What-is-User-Account-Control

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    2012年6月15日 12:03
  • For our domain, I am logged into my PC as myself, and it works fine without running as administrator or other user.  For their domain, I created a different mmc, and ran it as the domain\username they gave me, and it doesn't work.  So it doesn't seem like it would be a dll issue or a UAC issue?  I am waiting for them to make the user an enterprise admin again this morning so I can try it again.

    2012年6月15日 12:33
  • If its another domain, you need enterprise admin group membership. If they re-add your ID into the enterprise group, then just log off & relogin to the system where you are trying to access adsiedit.msc.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月15日 12:55