RE: Restrict user

From: a-chadl [MSFT] (a-chadl_at_online.microsoft.com)
Date: 02/12/04 

Date: Thu, 12 Feb 2004 16:53:12 GMT

| Here is my goal. Have a generic user logged into my
| domain controller that only has the permission to reset
| passwords for user accounts in Active Direcoty. I want to
| have this user logged in to the domain controller at all
| times and utilize the "run as" command to log on to do
| more major administration tasks such as administer group
| policies, created groups and Ou's etc. Whats the best way
| to go about setting up this user to only be able to reset
| passwords?
|
|
| Thanks in advance
|

Open Active Directory Users & Computers and delegrate control to the
account for all of the OU's that contain user accounts.

1) Right click on the OU and choose Delegate Control.

2) In the delegation of control wizard, select your generic account, then
in the next screen select "Create a custom task to delegate".

3) In the next screen, choose the radio button for "Only the following
objects
in the folder", the put a check mark next to User objects, then click next.

4) In the Permissions screen, put checks next to "change password", "reset
password", and the "read and write account restrictions" permissions. Then
click next to finish.

Chad A. Lacy
Windows 2000 Directory Services

==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.