Active Directory Server 2008 R2 – You do not have permission to modify the group %$# (Unknown Japanese or Chinese characters)

Active Directory Server 2008 R2 – You do not have permission to modify the group


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services


Compliled 2/7/2012


 



Background:


  • This was created to test out an issue not allowing to modify a group’s membership by a non-full control delegated account on an OU in response to a post in the following TechNet posting:

Active Directory Server 2008R2 – You do not have permission to modify the group $%#     (Posted 2/6/2012)
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/dcc48a8d-da01-4477-98a4-a10a8eb1f7ba/ 


  • This was also referenced and documented as a bug by Chris Beams in his blog in the following link:

You do not have permission to modify the group
http://chrisbeams.wordpress.com/2010/05/08/you-do-not-have-permission-to-modify-the-group/


With the following error message that appears with unknown Asian characters:



  • Operating System: Windows Server 2008 R2 Enterprise RTM (not SP1)
  • Performed on a domain controller with the DC’s Rights modified to allow Interactive Logon and Logon Locally for the Local Domain Users group using the rights.exe utility.
  • Modified and customized the Delegwiz.inf template to add Template30 “Modify group membership” based on

Appendix O: Active Directory Delegation Wizard File
http://technet.microsoft.com/en-us/library/cc772784(WS.10).aspx


  • I created a group called Help Desk
  • I created a Domain User called “Ace”
  • Added “Ace” to the Help Desk group
  • Created a user called “Shadow”
  • Logged on as Ace
  • Attempted to add Shadow to the Help Desk group
  • Attempted to add Shadow using ADUC to the Help Desk group by using Shadow’s Member Of tab
  • Attempted to add Shadow using ADAC to the Help Desk group – Unsuccessful – the Add buttons were grayed out


Summary:


  1. The error showed up when I was in the user’s properties, Member tab. I didn’t allow me to add the group to the user. 3
  2. I also wasn’t able to add the user to the group using ADAC.
  3. However, through the group properties, Member tab, I was able to add the user.
  4. I didn not try using ADAC by choosing the user’s properties, but I have a feeling it would have worked.

My conclusion as was noted by Chris Beams (link above), is it appears to be a bug, unless someone else indicates otherwise.

 

.






.


Screenshots Below:



1. I first customized the delegwiz.inf file by just adding Template30. I didn’t feel adding the rest of them was required.
If you can’t see the right bottom of this image to see how I added it in the INF file, here’s the full image:
https://public.blu.livefilestore.com/y1p1DHykm_FT3im726XcmFDKE9ZMTgfZ6I48owb-4hOF4Jj-aZjj9oKr1C3l7OG1AUCsrLBIWFcCOct-eu-ficDXw/AD-%20Delegate%20OU%20-%201%20-%20Modified%20Delegatewiz.inf%20to%20add%20template30.jpg?psid=1






.


.


2. Invoked the OU Delegation Wizard







.


.


3. Chose to Delegate the Help Desk group.







.


.


4. Clicked on “Modify Membership of a Group”







.


.


5. Clicked on “Modify Group Membership” (this was the added permission from Template30, as noted in my customized addition)





.


.


6. Added Ace to the Help Desk group.







.


.


7. While still logged on as Administrator, I chose to Switch User to logon as the delegated user, Ace, which is in the Help Desk group.





.


.


8. Chose “Other User.”







.


.


9. In Shadow’s properties:


  • Right clicked on Shadow
  • Member Of tab
  • Clicked on Add
  • Searched and found the Help Desk group





.


.


10. Before I clicked on OK or Apply, just to point out you can see Shadow is now in the list.






.


.


11. After I clicked on Apply, you can see the error message appear with the unknown Asian characters.






.


.


12. So I decided now to try the Active Directory Administrative Center (ADAC).






.


.


13. The familiar ADAC splash screen…






.


.


14. Chose the Help Desk group.






.


.


15. Clicked on Properties of the Help Desk group. But you can see the Add buttons are grayed out. <sigh>






.


.


16. While still logged on as user Ace, I decided to try using ADUC. I right clicked on Test Group, Properties.






.


.


17. Clicked on Members tab, Searched and found Shadow., then clicked on Add.






.


.


18. Before I clicked on Add or Apply, I just wanted to point out that you can see Shadow is in the Members list.






.


.


19. After clicking on Apply, you can see it accepted the command. Shadow was successfully added.










Errors, suggestions, critique, etc, are all welcomed!


Ace Fekay

Leave a Reply