Re: delegating control over ou

From: peter (p.majcher_at_NOSPAM.wp.pl)
Date: 09/08/04 

Date: Wed, 8 Sep 2004 16:17:04 -0700

thank you ULF for these valuable information
that is exactly i wanted to know
i was taking a look at the permissions under OU properties
and i have seen many settings and rights but
respect, i didn't know which rights are responsible for
which settings.

you've helped me much
thanks

btw, locking an account was my mistake - of course it is
not usefull to lock user account!

>-----Original Message-----
>"peter" <majcher@news.postalias> wrote in message
>news:7bdb01c49535$1c15e9e0$a501280a@phx.gbl:
>> here is the scenario:
>> i would like to give my partner only these rights
>> on OU and child OUs
>>
>> create users
>> lock/unlock user accounts
>> disable/unable user accounts
>> reset passwords
>>
>> how can i achieve that? I ran ad delegation wiz but
there
>> is either to less or to much rights for my task
>> of course it gives the opportunity to reset passwords
>> but there are not any info about locking or disabling
>> accounts
>>
>> which properties should i check to give the user only
the
>> rights i have written above
>>
>
>Hello Peter,
>
>Create users
>This is provided in the delegation wizard.
>
>Lock/Unlock user accounts:
>Locking is a feature which is delegated to everyone -
just try to log
>on a couple times with a false password using this
account ;-) Locking
>accounts is not allowed via GUI and it does not make
sense - disable
>the account if needed.
>Unlocking is done by delegating the right on the
lockOutTime Attribute
>of the useraccounts.
>
>279723 How to Grant Help Desk Personnel the Specific
Right to Unlock
>Locked User Accounts
>http://support.microsoft.com?id=279723
>
>Disable/Enable user accounts
>You have to delegate write rights for the
userAccountControl, which
>opens a couple other Options (mainly the checkboxes on
the user account
>tab). There's no other option to delegate just that right
in AD.
>Another Option would be to create a WebPage or script to
do that with
>different credentials.
>To delegate write rights follow the example in the KB
above on the
>lockoutTime using dsacls.
>
>Reset Passwords:
>This is provided in the delegation wizard.
>
>--
>Gruesse - Sincerely,
>
>Ulf B. Simon-Weidner
>.
>

Relevant Pages

  • Re: Kerberos ( Web Service)
    ... I know I'm supposed to create an SPN for a domain account and run the ... The only account that needs the rights to delegate is the service process ... The target of the delegation doesn't need ...
    (microsoft.public.platformsdk.security)
  • Re: Robocopy Security and Authorization
    ... batch job' rights. ... user account has permissions to the resources and also use UNC paths as ... | appropriate robocopy commands. ...
    (microsoft.public.windows.server.general)
  • Re: Admin rights over OU
    ... User Account Manage on page 34 and ... Microsoft supplies a delegwiz.inf (replace delegation control template ... pretty much encompasses what each admin, junior admin, and specialty groups ... need w/out giving them domain admin rights*. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account Lock out
    ... This is difference question on how to what rights to grant so that a domain ... user account will have unlimited number times to join workstations as a ... Domain administrator account to join workstation to the domain) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin Roles
    ... rights to do certain tasks. ... One account is a plain-vanilla, Domain User account they normally logon with, email, etc. ... Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. ...
    (microsoft.public.windows.server.active_directory)
Quantcast