Re: Password Reset and Unlock unable to disable..

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Fri, 06 Jan 2006 11:56:35 -0500

---

Even though the pick is there, if the delegation is done correctly they will not be able to do a reset or unlock. You should probably dump the ACL for a user with dsacls and post it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Bob wrote:

yes, the right option is still there but eventually its still able to perform the password reset and even unlock the account although the view for them is all deem. Even under the Account tab the option user must change the password for the next logon is not deem . We done a test already.. please advise . tq

"Joe Richards [MVP]" wrote:

If you mean password reset is still in the right click options, you are correct, that is displayed for everyone, it isn't based on actual permissions on the objects.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Bob wrote:

I'm an access administrator for a company to maintain users account in AD. I had created a user account for helpdesk to have a view only on AD but the problem is that the password reset option and account unlock is still available when the helpdesk search for a user and look at the details. What went wrong here?? Is there any security permission i missed out in the built-in group or any group ?? and I have don;t have the full administration access to modify certain group or security permission but I able to view it . If you could help me to pinpoint which part of AD to look at then I could raise up an issue to the server administrator.. Thank you

.

---

• References:
  • Re: Password Reset and Unlock unable to disable..
    • From: Joe Richards [MVP]

• Prev by Date: urgent , VSS problem pls help
• Next by Date: Re: Is DCPromo to demote a lengthy process?
• Previous by thread: Re: Password Reset and Unlock unable to disable..
• Next by thread: Re: How could I list all folder right user
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Giving rights to a group to reset and unlock users in a AD domain ... To reset password use the "delgate control" wizard and also use the settings in the article to give the permissions to unlock accounts: ... The AdminSDHolder process runs on some protected groups and removes delegated permissions and inheritance if set. ... "Account Password Reset group" and I need to give them the right to ... (microsoft.public.windows.server.active_directory) Re: Account Lockout ... "How to Grant Help Desk Personnel the Specific Right to Unlock Locked ... the reset it executed and the flag is cleared. ... bactchjob that calls CHOICE to ask "reset account ". ... >user account (local computer, not domain user account) ... (Security-Basics) Giving rights to a group to reset and unlock users in a AD domain ... I am trying to add this group of users, who we are calling the "Account ... Password Reset group" and I need to give them the right to reset any ... only reset and unlock users within their own "Account Password Reset ... (microsoft.public.windows.server.active_directory) Re: Grant right to unlock accounts? ... How To Delegate the Unlock Account Right: ... This posting is provided "AS IS" with no warranties, and confers no rights. ... At the moment user in this container have the ability to reset the ... (microsoft.public.windows.server.active_directory) RE: Password disappears ... account password will be reset to empty automatic. ... SBS infected by Trojan horse. ... Configure account lockout policy. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.active_directory  > 2006-01