RE: Account Operators accessing other account operators

Tech-Archive recommends: Fix windows errors by optimizing your registry

What i would do is create a seperate OU in you domain for the Account
operators if possible and delegate the necessary right on this OU.
Create en new security group and use the delegation wizzard to delegate
necesary rights to this group. But all members that needs to reset these
accounts in this group.

Paper about delegation:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx

Hope this helps you.

"Matt" wrote:

We have a Windows 2003 (SP1) AD domain. Our helpdesk staff our aco***
operators and they can successfully manage the company's user accounts. They
cannot access builtin accounts such as domain administrators (which I know is
by design and is what I want).

However, and this is my problem, is that they cannot reset passwords or
unlock the accounts of the other account operators. If a helpdesk staff
locks their account the other helpdesk staff cannot unlock it; and they have
to wait for me to do it (I'm a domain admin). I did read an article saying
that this was by design since Windows 2000 SP4. However this is not
particularly helpful to me.

I am being pushed to get this resolved and do not want to give them domain
admin rights. Please can anyone help.
.

Quantcast