Re: Unlock acct permissions
From: Brian (Brian_at_discussions.microsoft.com)
Date: 02/21/05
- Next message: Juan Carlos: "some security requirements - how to comply"
- Previous message: Jimmy Andersson [MVP]: "Re: demoting DC"
- In reply to: Joe Richards [MVP]: "Re: Unlock acct permissions"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: Unlock acct permissions"
- Reply: Cary Shultz [A.D. MVP]: "Re: Unlock acct permissions"
- Reply: Joe Richards [MVP]: "Re: Unlock acct permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Feb 2005 05:37:02 -0800
You know Joe I have many Windows books and have read them but unfortunely
they don't go into enough detail about how to correct this issue. I wish I
worked for a large company that had training and many IT people but
unfortunely that's not the case. I'm the entire IT department, so it's jack
of all trades master of none. I will look at your answer do some more
research after I get back setting up a new domain in remote office and see
what I can do. In the mean time you keep being a n expert for us "green"
working people. Thanks
"Joe Richards [MVP]" wrote:
> This stuff works as designed, trust me, I have built an enterprise class
> directory (>250,000 users) and worked on several other enterprise class
> directories (>100k).
>
> dsacls is a tool in the support tools. If you have them installed you should
> simply be able to type
>
> dsacls DN_OF_OBJECT
>
> and it will show you the actual ACL on an AD Object.
>
>
> If you want to quickly check if the adminSDHolder functionality is causing
> issues, go grab adfind from my website and run the following command
>
> adfind -default -f samaccountname=userid admincount
>
> If there is a value returned and it isn't 0, that means you are being impacted
> by adminSDHolder and you should search google for that term.
>
> Overall you appear to be a very "green" admin and you should buy one or more
> books and learn this stuff before you do too much more. You need to get a handle
> on the basic concepts and thoughts before you hurt yourself by giving too many
> rights in the forest to others.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > I don't know what an enhanced accouint is. I'm just trying to give a user
> > account unlock permission for an OU by making them a member of a security
> > group in that OU with permission to unloack accounts. How to do the rest of
> > what your writing about I have no idea how to accomplish. How do I verify
> > delgation? How do I get DSACLS to run on a specific account? I guess it is
> > not possbile to make a sub-administrator, nothing I have done or been told
> > has made any difference. The permissions in the security do not seem to
> > apply to it's members. Every one will have to full admins unless I can make
> > this Windows permissions work as desired.
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>By any chance is the account they are trying to work on another enhanced user
> >>account, say an account op or something? If so, look into adminSDHolder posts.
> >>If not, look at the ACL with DSACLS and verify the delegation occurred as
> >>expected and if it is correct (should be WP on lockoutTime) then have the admin
> >>log off and log on and try again.
> >>
> >> joe
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Brian wrote:
> >>
> >>>Thanks I applied both methods on article 279723 plus article 294952 and still
> >>>no access. The correct permissions are on the security group, the user I
> >>>added to the security group still cannot do anything with account unlock or
> >>>password reset. Where can I see the effective permissions of the user since
> >>>they are a memeber of this security group? The securty group is a memeber of
> >>>the built-in Account operators as well. Is there default deny on regular
> >>>users accounts that is blocking this? Any help in what this could be would
> >>>be appreciated. Thanks
> >>>
> >>>"Laura E. Hunter (MVP)" wrote:
> >>>
> >>>
> >>>
> >>>>How to grant help desk personnel the specific right to unlock user accounts:
> >>>>http://support.microsoft.com/?kbid=279723
> >>>>
> >>>>--
> >>>>Laura E. Hunter
> >>>>Microsoft MVP - Windows Server Networking
> >>>>All information provided "AS-IS", no warranties expressed or implied.
> >>>>Replies to newsgroup only.
> >>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>>>
> >>>>
> >>>>>What permissions are necessary for a user to be able to unlock an account
> >>>>>or
> >>>>>reset a password. I have an MMC created for user to reset passwords (will
> >>>>>this fix an account lockout?) in an OU. I have the user added to a admin
> >>>>>group I created for the OU. I continued to get access denised when try to
> >>>>>reset password. What permissions are necessary and where to access them
> >>>>>as
> >>>>>the enterprose admin. Does password reset unlock an account or is that
> >>>>>seperate permissions? Thanks
> >>>>
> >>>>
> >>>>
>
- Next message: Juan Carlos: "some security requirements - how to comply"
- Previous message: Jimmy Andersson [MVP]: "Re: demoting DC"
- In reply to: Joe Richards [MVP]: "Re: Unlock acct permissions"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: Unlock acct permissions"
- Reply: Cary Shultz [A.D. MVP]: "Re: Unlock acct permissions"
- Reply: Joe Richards [MVP]: "Re: Unlock acct permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
