Re: Delegation of Control

From: jv (jv_at_discussions.microsoft.com)
Date: 11/10/04

Next message: Ulf B. Simon-Weidner [MVP]: "Re: NT4 to W2K3 Inplace upgrade"
Previous message: Anonymous: "Re: Add PC to Win 2003 server AD domain?"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 10 Nov 2004 11:10:01 -0800

I ran DCW and it works fine. I also found other postings that show how to do
it manually through the security tab on OU or container.
* I DID NOTICE THAT HELPDESK AND DESKTOP GROUP CAN'T RESET THEIR OWN ACCOUNT
PASSWORD IN AD USERS AND COMPUTERS. THEY CAN RESET ALL OTHER ACCOUNTS. IS
THIS BY DESIGN OR DID I MISS A STEP?

"Ulf B. Simon-Weidner [MVP]" wrote:

> "Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
> message news:nospam2-ulf@usw-consulting.com:
> > "jv" <jv@discussions.microsoft.com> wrote in message
> > news:jv@discussions.microsoft.com:
> > > I just upgraded my test environment to w2k3 AD. Now I want to be able
> > > to
> > >
> > > delegate control for my helpdesk and desktop team to be able to reset
> > > passwords, unlock accounts, join computers to domain, remove computers
> > > from
> > > domain, and read access to view properties of accounts.
> > >
> > > What is best way to achieve this?
> >
> > Hello jv,
> >
> > The most tasks you outlined are in the delegation of control wizard,
> > just click on the approbiate OU and choose "delegation" from the
> > context menu.
> >
> > Everybody has read access, so you don't need to configure that. And
> > they are able the change accounts they create. Reset passwords is
> > provided in the delegation wizard, create and delete computer objects
> > is provided.
> >
> > To unlock locked user accounts you have to delegate write rights on the
> > "lockoutTime"-Attribute.
> >
>
> What I forgot:
>
> Here's a explaination on the lockoutTime-Attribute:
> http://www.windowsserverfaq.de/faq/ADQueries/lockoutTime.asp
>
> And here a example how to set it with DSAcls:
> http://www.windowsserverfaq.de/wiki/wikien.asp?db=Wiki&dbname=DefaultDb&o=ActiveDirectoryDelegation
>
>
> --
> Gruesse - Sincerely,
>
> Ulf B. Simon-Weidner
>
> MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
> Weblog: http://msmvps.org/UlfBSimonWeidner
> WebSite: http://www.windowsserverfaq.org
>

Next message: Ulf B. Simon-Weidner [MVP]: "Re: NT4 to W2K3 Inplace upgrade"
Previous message: Anonymous: "Re: Add PC to Win 2003 server AD domain?"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Delegate Account reset not working...
... "Jorge Silva" wrote: ... access to reset all users accounts in the domain. ... delegation wizard. ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Account reset not working...
... "Jorge Silva" wrote: ... access to reset all users accounts in the domain. ... delegation wizard. ... Shouldn't that have only given the reset permission ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Account reset not working...
... access to reset all users accounts in the domain. ... "Jorge Silva" wrote: ... delegation wizard. ... Shouldn't that have only given the reset permission ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Account reset not working...
... It looks like the users were in a group that was previously given delegation ... access to reset all users accounts in the domain. ... "Jorge Silva" wrote: ... Shouldn't that have only given the reset permission to ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Account reset not working...
... What is it that you do not want them to see in other OUs, just that accounts ... delegation wizard. ... Shouldn't that have only given the reset permission ... I created PWDRESET group and I ...
(microsoft.public.windows.server.active_directory)