Re: Unlock acct permissions
From: Jimmy Andersson [MVP] (jimmy_NO_SPAM__at_mvps.org)
Date: 02/26/05
- Next message: Andrei Ungureanu: "Re: Win2K client: unable to login locally, deleted from domain"
- Previous message: scott: "Re: Client Can't join Domain - SOLVED"
- In reply to: ptwilliams: "Re: Unlock acct permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 26 Feb 2005 17:48:11 +0100
I have that book, it's ok - no more no less, but that's just my 2 cents.
Kouti and Seitsonen's book is much better...
Regards,
/Jimmy
-- Jimmy Andersson, Q Advice AB Microsoft MVP - Directory Services ---------- www.qadvice.com ---------- "ptwilliams" <ptw2001@hotmail.com> wrote in message news:ufGyRm%23GFHA.3484@TK2MSFTNGP12.phx.gbl... > If in depth understanding is what you're after, then there's also the > Resource Kit ;-). It's fatter than most, and quite dry in parts, but > complemented with Inside... by Kouti and Seitsonen and you've got it > all... > > Herb, Joe, Cary, > > Have any of you looked at AD Forestry? > > http://www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref=pd_sim_b_dp_5/202-4807295-4545454 > > > I've heard that it's good, and was hoping one of the guys in work would > buy > it so I could have a nose without needing to charge it to my card ;-) > > > -- > > Paul Williams > > http://www.msresource.net/ > http://forums.msresource.net/ > > "Herb Martin" <news@LearnQuick.com> wrote in message > news:eHiIPc4GFHA.3272@TK2MSFTNGP10.phx.gbl... > Add Gary Olsen's (New Riders I believe) > "Active Directory Design and Deployment" > to the list. > > It may actually be the best of the bunch but it > is very old now so it is mostly about those > GOOD FUNDAMENTALS that one needs > and which Joe referenced. > > > > -- > Herb Martin > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:ORybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl... >> Brian, take a look at the following >> >> 1. O'Reilly Active Directory, 2e >> 2. O'Reilly Active Directory Cookbook >> 3. Addison Wesley Inside Active Directory: A System Administrator's >> Guide, > 2e. >> >> >> These are some of the best books out there right now for AD Admin level > stuff. >> The first book is a great primer for learning core concepts. The second > book has >> a ton of scripts and GUI solutions to various problems. The third book is > a >> great in depth book on AD and will teach you probably more than you ever > want to >> know. >> >> I haven't read #1 though I read the first edition of it. I am sure Robbie > did a >> great treatment of it though in the second edition and doubt it is worse > than it >> was when I read it. I was a technical reviewer for both #2 and #3 and I > know the >> content is great in both of them. >> >> The big thing about AD is that it isn't NT. In that, I mean that you > really >> didn't need to know too much to run an NT domain, anyone could fire it up > and it >> would generally work. However it was extremely limited. AD came along and >> removed the limitations and gave a lot more flexibility but also added a > bunch >> of complexity. In order to do it well, you have to spend a good amount of > time >> working on it. I have spent the last 5 years working on it, I didn't get > to >> where I am from training and having large IT departments. I simply worked > with >> it. In fact, large companies aren't all that great about sending people >> to >> training and in the three positions I have held running domains I have > been one >> of 3-5 people responsible for domains holding anywhere from 2000-250,000 > users >> and from 10-400 domain controllers. Not large groups of admins by any > stretch of >> the word. It actually forces you to be really good. >> >> >> joe >> >> >> -- >> Joe Richards Microsoft MVP Windows Server Directory Services >> www.joeware.net >> >> >> Brian wrote: >> > You know Joe I have many Windows books and have read them but > unfortunely >> > they don't go into enough detail about how to correct this issue. I > wish I >> > worked for a large company that had training and many IT people but >> > unfortunely that's not the case. I'm the entire IT department, so it's > jack >> > of all trades master of none. I will look at your answer do some more >> > research after I get back setting up a new domain in remote office and > see >> > what I can do. In the mean time you keep being a n expert for us > "green" >> > working people. Thanks >> > >> > "Joe Richards [MVP]" wrote: >> > >> > >> >>This stuff works as designed, trust me, I have built an enterprise >> >>class >> >>directory (>250,000 users) and worked on several other enterprise class >> >>directories (>100k). >> >> >> >>dsacls is a tool in the support tools. If you have them installed you > should >> >>simply be able to type >> >> >> >>dsacls DN_OF_OBJECT >> >> >> >>and it will show you the actual ACL on an AD Object. >> >> >> >> >> >>If you want to quickly check if the adminSDHolder functionality is > causing >> >>issues, go grab adfind from my website and run the following command >> >> >> >>adfind -default -f samaccountname=userid admincount >> >> >> >>If there is a value returned and it isn't 0, that means you are being > impacted >> >>by adminSDHolder and you should search google for that term. >> >> >> >>Overall you appear to be a very "green" admin and you should buy one or > more >> >>books and learn this stuff before you do too much more. You need to get > a handle >> >>on the basic concepts and thoughts before you hurt yourself by giving > too many >> >>rights in the forest to others. >> >> >> >> joe >> >> >> >> >> >>-- >> >>Joe Richards Microsoft MVP Windows Server Directory Services >> >>www.joeware.net >> >> >> >> >> >>Brian wrote: >> >> >> >>>I don't know what an enhanced accouint is. I'm just trying to give a > user >> >>>account unlock permission for an OU by making them a member of a > security >> >>>group in that OU with permission to unloack accounts. How to do the > rest of >> >>>what your writing about I have no idea how to accomplish. How do I > verify >> >>>delgation? How do I get DSACLS to run on a specific account? I guess > it is >> >>>not possbile to make a sub-administrator, nothing I have done or been > told >> >>>has made any difference. The permissions in the security do not seem > to >> >>>apply to it's members. Every one will have to full admins unless I >> >>>can > make >> >>>this Windows permissions work as desired. >> >>> >> >>>"Joe Richards [MVP]" wrote: >> >>> >> >>> >> >>> >> >>>>By any chance is the account they are trying to work on another > enhanced user >> >>>>account, say an account op or something? If so, look into > adminSDHolder posts. >> >>>>If not, look at the ACL with DSACLS and verify the delegation >> >>>>occurred > as >> >>>>expected and if it is correct (should be WP on lockoutTime) then have > the admin >> >>>>log off and log on and try again. >> >>>> >> >>>> joe >> >>>> >> >>>>-- >> >>>>Joe Richards Microsoft MVP Windows Server Directory Services >> >>>>www.joeware.net >> >>>> >> >>>> >> >>>>Brian wrote: >> >>>> >> >>>> >> >>>>>Thanks I applied both methods on article 279723 plus article 294952 > and still >> >>>>>no access. The correct permissions are on the security group, the > user I >> >>>>>added to the security group still cannot do anything with account > unlock or >> >>>>>password reset. Where can I see the effective permissions of the > user since >> >>>>>they are a memeber of this security group? The securty group is a > memeber of >> >>>>>the built-in Account operators as well. Is there default deny on > regular >> >>>>>users accounts that is blocking this? Any help in what this could >> >>>>>be > would >> >>>>>be appreciated. Thanks >> >>>>> >> >>>>>"Laura E. Hunter (MVP)" wrote: >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>>How to grant help desk personnel the specific right to unlock user > accounts: >> >>>>>>http://support.microsoft.com/?kbid=279723 >> >>>>>> >> >>>>>>-- >> >>>>>>Laura E. Hunter >> >>>>>>Microsoft MVP - Windows Server Networking >> >>>>>>All information provided "AS-IS", no warranties expressed or > implied. >> >>>>>>Replies to newsgroup only. >> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message >> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com... >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>>What permissions are necessary for a user to be able to unlock an > account >> >>>>>>>or >> >>>>>>>reset a password. I have an MMC created for user to reset > passwords (will >> >>>>>>>this fix an account lockout?) in an OU. I have the user added to >> >>>>>>>a > admin >> >>>>>>>group I created for the OU. I continued to get access denised >> >>>>>>>when > try to >> >>>>>>>reset password. What permissions are necessary and where to >> >>>>>>>access > them >> >>>>>>>as >> >>>>>>>the enterprose admin. Does password reset unlock an account or is > that >> >>>>>>>seperate permissions? Thanks >> >>>>>> >> >>>>>> >> >>>>>> > > >
- Next message: Andrei Ungureanu: "Re: Win2K client: unable to login locally, deleted from domain"
- Previous message: scott: "Re: Client Can't join Domain - SOLVED"
- In reply to: ptwilliams: "Re: Unlock acct permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
