Re: Unlock acct permissions

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/26/05 

Date: Sat, 26 Feb 2005 10:00:37 -0000

If in depth understanding is what you're after, then there's also the
Resource Kit ;-). It's fatter than most, and quite dry in parts, but
complemented with Inside... by Kouti and Seitsonen and you've got it all...

Herb, Joe, Cary,

Have any of you looked at AD Forestry?

http://www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref=pd_sim_b_dp_5/202-4807295-4545454

I've heard that it's good, and was hoping one of the guys in work would buy
it so I could have a nose without needing to charge it to my card ;-) 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"Herb Martin" <news@LearnQuick.com> wrote in message 
news:eHiIPc4GFHA.3272@TK2MSFTNGP10.phx.gbl...
Add Gary Olsen's (New Riders I believe)
"Active Directory Design and Deployment"
to the list.
It may actually be the best of the bunch but it
is very old now so it is mostly about those
GOOD FUNDAMENTALS that one needs
and which Joe referenced.
-- 
Herb Martin
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ORybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl...
> Brian, take a look at the following
>
> 1. O'Reilly Active Directory, 2e
> 2. O'Reilly Active Directory Cookbook
> 3. Addison Wesley Inside Active Directory: A System Administrator's Guide,
2e.
>
>
> These are some of the best books out there right now for AD Admin level
stuff.
> The first book is a great primer for learning core concepts. The second
book has
> a ton of scripts and GUI solutions to various problems. The third book is
a
> great in depth book on AD and will teach you probably more than you ever
want to
> know.
>
> I haven't read #1 though I read the first edition of it. I am sure Robbie
did a
> great treatment of it though in the second edition and doubt it is worse
than it
> was when I read it. I was a technical reviewer for both #2 and #3 and I
know the
> content is great in both of them.
>
> The big thing about AD is that it isn't NT. In that, I mean that you
really
> didn't need to know too much to run an NT domain, anyone could fire it up
and it
> would generally work. However it was extremely limited. AD came along and
> removed the limitations and gave a lot more flexibility but also added a
bunch
> of complexity. In order to do it well, you have to spend a good amount of
time
> working on it. I have spent the last 5 years working on it, I didn't get
to
> where I am from training and having large IT departments. I simply worked
with
> it. In fact, large companies aren't all that great about sending people to
> training and in the three positions I have held running domains I have
been one
> of 3-5 people responsible for domains holding anywhere from 2000-250,000
users
> and from 10-400 domain controllers. Not large groups of admins by any
stretch of
> the word. It actually forces you to be really good.
>
>
>    joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > You know Joe I have many Windows books and have read them but
unfortunely
> > they don't go into enough detail about how to correct this issue.  I
wish I
> > worked for a large company that had training and many IT people but
> > unfortunely that's not the case.  I'm the entire IT department, so it's
jack
> > of all trades master of none.  I will look at your answer do some more
> > research after I get back setting up a new domain in remote office and
see
> > what I can do.  In the mean time you keep being a n expert for us
"green"
> > working people.  Thanks
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>This stuff works as designed, trust me, I have built an enterprise class
> >>directory (>250,000 users) and worked on several other enterprise class
> >>directories (>100k).
> >>
> >>dsacls is a tool in the support tools. If you have them installed you
should
> >>simply be able to type
> >>
> >>dsacls DN_OF_OBJECT
> >>
> >>and it will show you the actual ACL on an AD Object.
> >>
> >>
> >>If you want to quickly check if the adminSDHolder functionality is
causing
> >>issues, go grab adfind from my website and run the following command
> >>
> >>adfind -default -f samaccountname=userid admincount
> >>
> >>If there is a value returned and it isn't 0, that means you are being
impacted
> >>by adminSDHolder and you should search google for that term.
> >>
> >>Overall you appear to be a very "green" admin and you should buy one or
more
> >>books and learn this stuff before you do too much more. You need to get
a handle
> >>on the basic concepts and thoughts before you hurt yourself by giving
too many
> >>rights in the forest to others.
> >>
> >>   joe
> >>
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Brian wrote:
> >>
> >>>I don't know what an enhanced accouint is.  I'm just trying to give a
user
> >>>account unlock permission for an OU by making them a member of a
security
> >>>group in that OU with permission to unloack accounts.  How to do the
rest of
> >>>what your writing about I have no idea how to accomplish.  How do I
verify
> >>>delgation?  How do I get DSACLS to run on a specific account?  I guess
it is
> >>>not possbile to make a sub-administrator, nothing I have done or been
told
> >>>has made any difference.  The permissions in the security do not seem
to
> >>>apply to it's members.  Every one will have to full admins unless I can
make
> >>>this Windows permissions work as desired.
> >>>
> >>>"Joe Richards [MVP]" wrote:
> >>>
> >>>
> >>>
> >>>>By any chance is the account they are trying to work on another
enhanced user
> >>>>account, say an account op or something? If so, look into
adminSDHolder posts.
> >>>>If not, look at the ACL with DSACLS and verify the delegation occurred
as
> >>>>expected and if it is correct (should be WP on lockoutTime) then have
the admin
> >>>>log off and log on and try again.
> >>>>
> >>>>  joe
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>Brian wrote:
> >>>>
> >>>>
> >>>>>Thanks I applied both methods on article 279723 plus article 294952
and still
> >>>>>no access.  The correct permissions are on the security group, the
user I
> >>>>>added to the security group still cannot do anything with account
unlock or
> >>>>>password reset.  Where can I see the effective permissions of the
user since
> >>>>>they are a memeber of this security group?  The securty group is a
memeber of
> >>>>>the built-in Account operators as well.  Is there default deny on
regular
> >>>>>users accounts that is blocking this?  Any help in what this could be
would
> >>>>>be appreciated.  Thanks
> >>>>>
> >>>>>"Laura E. Hunter (MVP)" wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>How to grant help desk personnel the specific right to unlock user
accounts:
> >>>>>>http://support.microsoft.com/?kbid=279723
> >>>>>>
> >>>>>>-- 
> >>>>>>Laura E. Hunter
> >>>>>>Microsoft MVP - Windows Server Networking
> >>>>>>All information provided "AS-IS", no warranties expressed or
implied.
> >>>>>>Replies to newsgroup only.
> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>What permissions are necessary for a user to be able to unlock an
account
> >>>>>>>or
> >>>>>>>reset a password.  I have an MMC created for user to reset
passwords (will
> >>>>>>>this fix an account lockout?) in an OU.  I have the user added to a
admin
> >>>>>>>group I created for the OU.  I continued to get access denised when
try to
> >>>>>>>reset password.  What permissions are necessary and where to access
them
> >>>>>>>as
> >>>>>>>the enterprose admin.  Does password reset unlock an account or is
that
> >>>>>>>seperate permissions? Thanks
> >>>>>>
> >>>>>>
> >>>>>>

Relevant Pages

  • Re: Unlock acct permissions
    ... > "Active Directory Design and Deployment" ... > and which Joe referenced. ... >> These are some of the best books out there right now for AD Admin level ... How do I get DSACLS to run on a specific account? ...
    (microsoft.public.win2000.active_directory)
  • Re: question on adding a workstation to an existing domain..
    ... I want to add a laptop to an existing AD ... There is an existing account which has admin ... > username (joe). ... Connecting to the domain from your user account on the ...
    (microsoft.public.win2000.active_directory)
  • Re: Preventing Users from removing their PC from the Domain
    ... You can't prevent an admin on a machine from removing it from a domain. ... They are not required, if the computer can't disable the account in AD, it will simply disjoin from the domain locally and leave the domain account enabled. ... Joe Richards Microsoft MVP Windows Server Directory Services ... that a domain admin username & password must be entered. ...
    (microsoft.public.win2000.security)
  • Re: Privilege to Create Event Log
    ... Joe is correct below. ... Need to be an admin to create a custom log. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > to it a normal user account should work. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unlock acct permissions
    ... "Active Directory Design and Deployment" ... and which Joe referenced. ... >>>Overall you appear to be a very "green" admin and you should buy one or more>>>books and learn this stuff before you do too much more. ... How do I get DSACLS to run on a specific account? ...
    (microsoft.public.win2000.active_directory)