Re: Limiting Access Rights to AD from Windows 2000 Professional

anonymous_at_discussions.microsoft.com
Date: 07/06/04

Next message: GSDPack: "Domain role transfer"
Previous message: ptwilliams: "Re: AD DNS not resolving some sites"
In reply to: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Next in thread: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Reply: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Messages sorted by: [ date ] [ thread ]

Date: Tue, 6 Jul 2004 13:30:11 -0700

I've done the DELEGATION WIZARD. I given the user access
to review user information and change password. But when
the user access her MMC console she can make changes to
the user account information. Am I missing something.
Can she have more rights flowing downwards that is
overwriting the rights on a particular OU?

Could the problem be that the user's rights is not applied
when accessing the AD from Windows 2000 Professional
instead of the server?

>-----Original Message-----
>Use the Delegation of Control wizard.
>
>You need to delegate reset password ability for the
container where the
>users exist in.
>
>You can't hide what they shouldn't see, by default users
have read rights on
>the directory unless its set into List Object Content
Mode.
>
>--
>Regards
>Christoffer Andersson
>Microsoft MVP - Directory Services
>
>No email replies please - reply in the newsgroup
>------------------------------------------------
>http://www.chrisse.se - Active Directory Tips
>
>"Michael" <anonymous@discussions.microsoft.com> skrev i
meddelandet
>news:2770201c4638f$519d4130$a501280a@phx.gbl...
>> Windows 2000 AD tree
>>
>> Want to give HELP DESK staff access to AD to change user
>> passwords from their Windows 2000 Professional. I am
able
>> to setup the Active Directory MMC console on the W2K
>> Professional. But can't seem to limit their access to
>> only the users' folder and to change passwords only.
>>
>> Please advice.
>>
>> TIA
>
>
>.
>

Next message: GSDPack: "Domain role transfer"
Previous message: ptwilliams: "Re: AD DNS not resolving some sites"
In reply to: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Next in thread: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Reply: Chriss3 [MVP]: "Re: Limiting Access Rights to AD from Windows 2000 Professional"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Limiting Access Rights to AD from Windows 2000 Professional
... to do a customize delegation within the wizard. ... > to review user information and change password. ... > the user access her MMC console she can make changes to ... > overwriting the rights on a particular OU? ...
(microsoft.public.win2000.active_directory)
Custom Delegation in AD
... I have a question about AD delegation. ... but this grants too many rights. ... users the ability to enable/disable accounts without affecting other rights ... such as "Password Never Expires" and "User Cannot Change Password". ...
(microsoft.public.windows.server.security)
Re: Custom Delegation in AD
... The delegation has to be to the entire attribute or not at all. ... I understand that there is a> 'userAccountControl' option, but this grants too many rights. ... I only want my> users the ability to enable/disable accounts without affecting other rights> such as "Password Never Expires" and "User Cannot Change Password". ...
(microsoft.public.windows.server.security)
Re: Help Please - Delegation not working on 2003 Server
... Joe Richards Microsoft MVP Windows Server Directory Services ... > on in my testing phase I had setup delegation on ... > user to change password at next logon and unlock accounts ...
(microsoft.public.windows.server.active_directory)
Re: user lockout reset?
... > -User must change password at next login ... > -Account is trusted for delegation ... > I dont' see a box that says "Account is locked out". ... >>> Bryce. ...
(microsoft.public.windows.server.sbs)