RE: Helpdesk rights to change passwords

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Rob Pomon <RobPomon@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 1 Sep 2005 22:08:02 -0700

Have a look at the following link formore details on how to do this...

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ECAA

While your at it you might as well do thsi as well as it will be the next
things you need to do for your Help Desk staff.
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952

Make sure you also actually have the proper permissions to grant these
rights and pay attention to where you are tryign to apply them. You might not
have full access to an entire forest if you have shared administration roles.

"Dean Colpitts" wrote:

> I have several differrent customers that have a single Windows 2003 DC
> with XP SP2 workstations. At each site, I'd like to take one person
> and give them rights to change/reset other user's passwords from a XP
> SP2 workstation. I've found the following commmand:
>
> net user username password /domain
>
> which works fine when run from an account with domain admin rights.
> When I run this as a standard domain user, obviously I get an error.
>
> I've run the delegation of control wizard, picked the account I want
> to have these rights, created a custom task to delegate, select an
> active directory object type of users and selected both change
> password and reset password.
>
> When running the above command as the user I've delegated as the
> password changer, on that person's workstation, I get:
>
> System error 5 has occurred.
>
> Access is denied.
>
> What am I doing wrong, and what is the best way around it? I only
> want this person to be able to change or reset passwords...
>
> dcc
>
.

References:
- Helpdesk rights to change passwords
  - From: Dean Colpitts

Prev by Date: Re: Internet Only Workstation
Next by Date: Re: Unable to demote a Win2k DC
Previous by thread: Helpdesk rights to change passwords
Next by thread: Re: Helpdesk rights to change passwords
Index(es):
- Date
- Thread

Relevant Pages

Helpdesk rights to change passwords
... I have several differrent customers that have a single Windows 2003 DC ... with XP SP2 workstations. ... and give them rights to change/reset other user's passwords from a XP ... I've run the delegation of control wizard, ...
(microsoft.public.windows.server.active_directory)
Re: Limiting Access Rights to AD from Windows 2000 Professional
... to do a customize delegation within the wizard. ... > to review user information and change password. ... > the user access her MMC console she can make changes to ... > overwriting the rights on a particular OU? ...
(microsoft.public.win2000.active_directory)
Re: Mapping to W2003 user rights/access?
... > when it comes to access/user rights. ... I believe Clustering should need maximum Adminrights on the Cluster. ... > 6) Is there a granular delegation setting or something ... I wouldn't even use Account Operators, ...
(microsoft.public.windows.server.migration)
Re: Delegate control questions
... help of Delegation Of Control Wizrad. ... Yes it was a replciation problem, Now I can see all computers ... noticed that if the local admin creates an own mmc with ADUC snap he will ... se the whole AD but have only rights to do something in his OU ...
(microsoft.public.windows.server.active_directory)
Re: Delegate control questions
... You can rerun the delegation wizard again or do it manually in security tab. ... You can deny read access, that's one of the reasons for OU creation, but rather then denying to a user you should do this to a security group, same applies to delegation of control. ... Have delegated control to the local admin, so he can create users and groups, reset passwords, add computers to domain. ... Where and how can I see what rights I have delegated to him? ...
(microsoft.public.windows.server.active_directory)