Re: Unlock acct permissions

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 02/21/05 

Date: Mon, 21 Feb 2005 09:14:38 -0500

Brian,

Please do not misunderstand Joe's comments. I am not going to attempt to
put words in Joe's mouth - he is a big boy and can take care of that
himself.

I think what Joe was trying to get across to you is that there were several
very basic things of which you were not aware. This would usually not be a
good thing. It does not have to be a bad thing, but it is not a good thing.
Generally speaking. There are a lot of 'IT Departments' full of people who
know how to format a Word Document or create a pivot table in Excel. This
does not make them Systems Administrators. This makes them Help Desk.
Usually because of their 'advanced computer skills' they are placed in the
IT Department. But they should really be in the Help Desk department.
Granted, if you work for a small company then it is often the case that the
IT Department is also the Help Desk Department.

Reading books is a good thing, but usually - as you are finding out - leaves
several things uncovered. You are correct in that most of the books are
terribly lacking in detailed information. They cover the top layer very
well. And that is important. But they usually do not go much deeper than
that. You might want to look at 'Inside Active Directory' for a really
really really good book on WIN2000 Active Directory.

And working in a test lab is very important. When I started out with Active
Directory this is what I did. Set up a test lab with two domain controllers
and two workstations. Do not even worry about Exchange for the moment. read
the posts in this newsgroup as well as in the group policy news group and
play with things in your test environment and then intentionally break
things so that you get a feel for 'this happens if that happened' type
stuff.

Also, install the Support Tools from the Service Pack CD-Media. Become
familiar with dcdiag, netdiag, repadmin, replmon, netdom and nltest. There
are several others of great help but start with these. You might also want
to go to Joe's web site and look at his tools ( adfind and oldcmp are two
very useful tools ).

Joe is one of the best in the world. Yep! In the world. Not in this state
or in this country or on this continent. In the world. When you deal with
the environments that he has you have to know everything inside and out.
Just like you know how to ride a bike and how to put food in your mouth when
it is dark ( without stabbing yourself in the lip or cheek )!

I really do not think that Joe was trying to disparage you. I have often
told people that they were a bit inexperienced and might be better off not
being the one to do what needed to be done.

As long as everything is working just fine anyone can be a Sys Admin. But
what happens when things do not? 

-- 
Cary W. Shultz
Roanoke, VA  24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Brian" <Brian@discussions.microsoft.com> wrote in message 
news:00C639B9-42AE-4DAE-8049-A4293D522A07@microsoft.com...
> You know Joe I have many Windows books and have read them but unfortunely
> they don't go into enough detail about how to correct this issue.  I wish 
> I
> worked for a large company that had training and many IT people but
> unfortunely that's not the case.  I'm the entire IT department, so it's 
> jack
> of all trades master of none.  I will look at your answer do some more
> research after I get back setting up a new domain in remote office and see
> what I can do.  In the mean time you keep being a n expert for us "green"
> working people.  Thanks
>
> "Joe Richards [MVP]" wrote:
>
>> This stuff works as designed, trust me, I have built an enterprise class
>> directory (>250,000 users) and worked on several other enterprise class
>> directories (>100k).
>>
>> dsacls is a tool in the support tools. If you have them installed you 
>> should
>> simply be able to type
>>
>> dsacls DN_OF_OBJECT
>>
>> and it will show you the actual ACL on an AD Object.
>>
>>
>> If you want to quickly check if the adminSDHolder functionality is 
>> causing
>> issues, go grab adfind from my website and run the following command
>>
>> adfind -default -f samaccountname=userid admincount
>>
>> If there is a value returned and it isn't 0, that means you are being 
>> impacted
>> by adminSDHolder and you should search google for that term.
>>
>> Overall you appear to be a very "green" admin and you should buy one or 
>> more
>> books and learn this stuff before you do too much more. You need to get a 
>> handle
>> on the basic concepts and thoughts before you hurt yourself by giving too 
>> many
>> rights in the forest to others.
>>
>>    joe
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Brian wrote:
>> > I don't know what an enhanced accouint is.  I'm just trying to give a 
>> > user
>> > account unlock permission for an OU by making them a member of a 
>> > security
>> > group in that OU with permission to unloack accounts.  How to do the 
>> > rest of
>> > what your writing about I have no idea how to accomplish.  How do I 
>> > verify
>> > delgation?  How do I get DSACLS to run on a specific account?  I guess 
>> > it is
>> > not possbile to make a sub-administrator, nothing I have done or been 
>> > told
>> > has made any difference.  The permissions in the security do not seem 
>> > to
>> > apply to it's members.  Every one will have to full admins unless I can 
>> > make
>> > this Windows permissions work as desired.
>> >
>> > "Joe Richards [MVP]" wrote:
>> >
>> >
>> >>By any chance is the account they are trying to work on another 
>> >>enhanced user
>> >>account, say an account op or something? If so, look into adminSDHolder 
>> >>posts.
>> >>If not, look at the ACL with DSACLS and verify the delegation occurred 
>> >>as
>> >>expected and if it is correct (should be WP on lockoutTime) then have 
>> >>the admin
>> >>log off and log on and try again.
>> >>
>> >>   joe
>> >>
>> >>--
>> >>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>www.joeware.net
>> >>
>> >>
>> >>Brian wrote:
>> >>
>> >>>Thanks I applied both methods on article 279723 plus article 294952 
>> >>>and still
>> >>>no access.  The correct permissions are on the security group, the 
>> >>>user I
>> >>>added to the security group still cannot do anything with account 
>> >>>unlock or
>> >>>password reset.  Where can I see the effective permissions of the user 
>> >>>since
>> >>>they are a memeber of this security group?  The securty group is a 
>> >>>memeber of
>> >>>the built-in Account operators as well.  Is there default deny on 
>> >>>regular
>> >>>users accounts that is blocking this?  Any help in what this could be 
>> >>>would
>> >>>be appreciated.  Thanks
>> >>>
>> >>>"Laura E. Hunter (MVP)" wrote:
>> >>>
>> >>>
>> >>>
>> >>>>How to grant help desk personnel the specific right to unlock user 
>> >>>>accounts:
>> >>>>http://support.microsoft.com/?kbid=279723
>> >>>>
>> >>>>-- 
>> >>>>Laura E. Hunter
>> >>>>Microsoft MVP - Windows Server Networking
>> >>>>All information provided "AS-IS", no warranties expressed or implied.
>> >>>>Replies to newsgroup only.
>> >>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>> >>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>> >>>>
>> >>>>
>> >>>>>What permissions are necessary for a user to be able to unlock an 
>> >>>>>account
>> >>>>>or
>> >>>>>reset a password.  I have an MMC created for user to reset passwords 
>> >>>>>(will
>> >>>>>this fix an account lockout?) in an OU.  I have the user added to a 
>> >>>>>admin
>> >>>>>group I created for the OU.  I continued to get access denised when 
>> >>>>>try to
>> >>>>>reset password.  What permissions are necessary and where to access 
>> >>>>>them
>> >>>>>as
>> >>>>>the enterprose admin.  Does password reset unlock an account or is 
>> >>>>>that
>> >>>>>seperate permissions? Thanks
>> >>>>
>> >>>>
>> >>>>
>>

Relevant Pages

  • Re: Unlock acct permissions
    ... >>>>-->>Joe Richards Microsoft MVP Windows Server Directory Services>>www.joeware.net>> ... I'm just trying to give a user>>>account unlock permission for an OU by making them a member of a security>>>group in that OU with permission to unloack accounts. ... Every one will have to full admins unless I can make>>>this Windows permissions work as desired. ... The correct permissions are on the security group, the user I>>>>>added to the security group still cannot do anything with account unlock or>>>>>password reset. ...
    (microsoft.public.win2000.active_directory)
  • Re: granting folder access to network users
    ... It is really easier to work with groups for configuring permissions ... account is used for example form the windows installer when new software ... Please post the complete share permissions and the folder NTFS permissions, ... In AD create a security group and add the user to this group. ...
    (microsoft.public.windows.server.setup)
  • Re: Unlock acct permissions
    ... Thanks I applied both methods on article 279723 plus article 294952 and still ... The correct permissions are on the security group, ... the built-in Account operators as well. ...
    (microsoft.public.win2000.active_directory)
  • Re: Send As (not Send on Behalf
    ... Create a Security Group and assign it Send As permissions to the ... Exchange Server 2003 ... > centralized account for recieving trouble tickets and the like. ...
    (microsoft.public.exchange.admin)
  • Re: Authenticated Users
    ... > What is the 'Authenticated Users' special account used for? ... Everyone is everyone and any user account from the domain and any trusted ... Then lock it down in the NTFS Security permissions. ... locally, and Joe is set to Read in the NTFS permissions, Joe will ONLY have ...
    (microsoft.public.win2000.active_directory)