Re: Win2k - Account Operator not working properly

Post a DSACLS dump of an OU of concern and what isn't happening in that OU that you expect should happen.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


thawkz wrote:
....let me also add some details to my most recent post--we have multi-level OUs....
I delegated control to Helpdesk group in the top level OU.....So, currently:
Helpdesk CAN modify/reset/create/delete accounts in the top-level OU.
Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW accounts in OUs beneath the top-level OU.
Helpdesk CANNOT modify/reset existing accounts in the OUs beneath the top-level OU.
Please feedback comments/questions......thanks for your help.


"thawkz" wrote:


Good enough.....One followup question......I used the delegate control wizard to grant the required permissions for the HelpDesk group. The members of the group can now create/delete/modify NEW user accounts and reset passwords for these accounts, but cannot create/delete/modify/reset passwords for any accounts that existed PRIOR to my running the delegate control wizard.....any ideas on a cause and a fix?
Thanks.

"Joe Richards [MVP]" wrote:


You shouldn't use acc ops because there are side effects that tend to mess people up (see adminsdholder functionality) plus it was put there simply as a holdover from NT.

The proper way to handle this is to create one or more groups and delegate the permissions needed to those groups and add admins to the groups as needed.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


thawkz wrote:

Running (an inherited) Windows 2000 Active Directory.
Helpdesk staff needed permissions to manage user account/reset passwds, etc.
Added Helpdesk staff users to Account Operators built-in group.
Helpdesk staff still not able to manage user accounts/passwords, etc.
Used the Delegate Control wizard as workaround...... but I would like to fix the issue with Account Operators--how can I make the sure the Account Operators built-in group has all of the required permissions? What settings do I check and where? (I suspect some of the default permissions for the Account Operators group have been modified, but I have no idea which ones....).
Thanks.


.

Relevant Pages

  • Re: Win2k - Account Operator not working properly
    ... The tool is a command line tool from Microsoft to enumerate the permissions on an object. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW accounts in OUs beneath the top-level OU. ...
    (microsoft.public.windows.server.active_directory)
  • Re: folders lost after creating restricted user acct. How to find?
    ... The files in your Administrator account are still there, but a Limited user account cannot see them, due to NTFS file permissions. ... Log on with the Administrator account and if needed, give access permissions to the other user accounts you created. ... Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • customer user accounts and internal user accounts on same domain
    ... Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. ... Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result ... If you are not an intended recipient, ...
    (Focus-Microsoft)
  • Re: FTP Login
    ... I have configured ftp servers in IIS many times and it does not behave ... consistently with regard to ntfs permissions with domain user accounts. ...
    (microsoft.public.windows.server.sbs)
  • Permissions not propagating in AD
    ... Current existing user accounts aren't inheriting the correct ... The OU permissions are properly set up, ... assigned to various accounts and groups on the user account security tab. ...
    (microsoft.public.win2000.security)
Loading