Re: Limiting Access Rights to AD from Windows 2000 Professional

From: Chriss3 [MVP] (noSpamHere_at_chrisse.se)
Date: 07/06/04 

Date: Wed, 7 Jul 2004 00:01:27 +0200

Each user can change some fields at there own account by default, its an
entry in the ACL defined to the dynamical object self. You may should select
to do a customize delegation within the wizard. 

-- 
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
<anonymous@discussions.microsoft.com> skrev i meddelandet
news:26f6f01c46398$09733320$a601280a@phx.gbl...
> I've done the DELEGATION WIZARD.  I given the user access
> to review user information and change password.  But when
> the user access her MMC console she can make changes to
> the user account information.  Am I missing something.
> Can she have more rights flowing downwards that is
> overwriting the rights on a particular OU?
>
> Could the problem be that the user's rights is not applied
> when accessing the AD from Windows 2000 Professional
> instead of the server?
>
>
> >-----Original Message-----
> >Use the Delegation of Control wizard.
> >
> >You need to delegate reset password ability for the
> container where the
> >users exist in.
> >
> >You can't hide what they shouldn't see, by default users
> have read rights on
> >the directory unless its set into List Object Content
> Mode.
> >
> >-- 
> >Regards
> >Christoffer Andersson
> >Microsoft MVP - Directory Services
> >
> >No email replies please - reply in the newsgroup
> >------------------------------------------------
> >http://www.chrisse.se - Active Directory Tips
> >
> >"Michael" <anonymous@discussions.microsoft.com> skrev i
> meddelandet
> >news:2770201c4638f$519d4130$a501280a@phx.gbl...
> >> Windows 2000 AD tree
> >>
> >> Want to give HELP DESK staff access to AD to change user
> >> passwords from their Windows 2000 Professional. I am
> able
> >> to setup the Active Directory MMC console on the W2K
> >> Professional.  But can't seem to limit their access to
> >> only the users' folder and to change passwords only.
> >>
> >> Please advice.
> >>
> >> TIA
> >
> >
> >.
> >

Relevant Pages

  • Re: Limiting Access Rights to AD from Windows 2000 Professional
    ... I've done the DELEGATION WIZARD. ... to review user information and change password. ... the user access her MMC console she can make changes to ... Can she have more rights flowing downwards that is ...
    (microsoft.public.win2000.active_directory)
  • Custom Delegation in AD
    ... I have a question about AD delegation. ... but this grants too many rights. ... users the ability to enable/disable accounts without affecting other rights ... such as "Password Never Expires" and "User Cannot Change Password". ...
    (microsoft.public.windows.server.security)
  • Re: Custom Delegation in AD
    ... The delegation has to be to the entire attribute or not at all. ... I understand that there is a> 'userAccountControl' option, but this grants too many rights. ... I only want my> users the ability to enable/disable accounts without affecting other rights> such as "Password Never Expires" and "User Cannot Change Password". ...
    (microsoft.public.windows.server.security)
  • Re: Mapping to W2003 user rights/access?
    ... > when it comes to access/user rights. ... I believe Clustering should need maximum Adminrights on the Cluster. ... > 6) Is there a granular delegation setting or something ... I wouldn't even use Account Operators, ...
    (microsoft.public.windows.server.migration)
  • Re: Delegate control questions
    ... help of Delegation Of Control Wizrad. ... Yes it was a replciation problem, Now I can see all computers ... noticed that if the local admin creates an own mmc with ADUC snap he will ... se the whole AD but have only rights to do something in his OU ...
    (microsoft.public.windows.server.active_directory)