Re: Force password change permission

Define these? If you mean the property sets, they are defined between the values in the extended-rights container and the schema.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


SecAdmin wrote: 
Does anyone know where all these are documented?

"Joe Richards [MVP]" wrote:


That would have to be a bug in the GUI then. You only need WP to pwdLastSet to force an account to have to change its password (make it expired).

Write Account Restrictions gives far more rights than that, last I looked it gave you all of these


accountExpires
msDS-User-Account-Control-Computed
pwdLastSet
userAccountControl
userParameters


which is far more rights than reset password and force to change on next logon.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Todd J Heron wrote:

Nick wrote:


Hi there,

I'm having trouble delegating control of an OU to a user. I want this user
to be able to reset passwords and force the user to change their password
upon their next login. I've used the delegation control wizard to give the
user these permissions, and the permissions appear correct in the ACL (has
permission to reset password and to write pwdlastset) - the result is that
although they can reset the password successfully, the 'user must change
password upon next logon' checkbox is greyed out.

Any help is much appreciated!

Cheers,
Nick



The user needs "Write Account Restrictions" to be able to make this happen.
http://support.microsoft.com/default.aspx?scid=KB;en-us;296999


.

Relevant Pages