Re: Field greyed out when account ops try to unlock account
- From: "Richard Alexander" <copper_shotgun@xxxxxxxxxxx>
- Date: Wed, 21 Jun 2006 17:37:26 -0500
I hope i did this right, but looked at adsiedit for the abs-accops group i
had created and the admincount attribute said <not set>, which i believe is
cleared.
I then ran the following from a batch file:
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G
"\Everyone:CA;Change Password"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Remote Access Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;General Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Group Membership"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Logon Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Account Restrictions"
Must have missed something, because if i look under at a user object, some
have the permissions granted and others still do not.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%234jJplAkGHA.4044@xxxxxxxxxxxxxxxxxxxxxxx
Once the folks are out of the acc ops you need to clear the admincount
attribute and reset their ACL. Then recheck them. If they get admincount
set again, there is some other group membership that is impacting them. It
could even be a DL that was in one of the protected groups at one point.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
I used to think i was a pretty sharp guy, but now i'm having my doubts.
I did as you suggested and looked up the adminsdholder at google. I've
read several articles describing it's purpose and they make perfect
sense, but i still do not see how it is affecting my situation. I
believe it is the culprit, but don't know why.
Originally i had the help deskers in the account operators group, which
was not working all the time. adminsdholder may have been preventing
this. After i read up on delegation, I removed them from the account
operators group and created a new group called xxx-accops and then
delegated permissions on the OUs.
I found the following article and it mentions the same problems and a
hotfix, once i finish reading it, i may look at that option.
http://support.microsoft.com/kb/817433
Thanks
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uTT6y$niGHA.4580@xxxxxxxxxxxxxxxxxxxxxxx
Ok, did you go look up adminsdholder as I mentioned previously?
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
I ran the following command to try and restore inherit permissions at
the ou level and it said successfully completed, but if i go the user
object and look at permissions, they are still not inheriting.
dsacls ou=users,ou=city,ou="dist division",DC=company,DC=local /I:T
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%23lEIvTeiGHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
Oh as for the user not having the permissions on it, does the user
have inheritence enabled? If not, it is likely you are feeling the
effects of the adminsdholder functionality which you can google for,
tons of references to that now.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
i tried running
dsacls cn=enduser,ou=users,ou=city,ou=dist division
but i get an error that system cannot open device or file.
Tried on several different account with same result. I did look at
the advanced features through MMC and can see the security tab. The
group that i created has access at the container(inherited from site
level), but when i look at the security on the the user object it is
not there.
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eWYBksPhGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
Look at the permissions on the problem account with dsacls, that
should tell the story.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
I had another instance this morning of this problem. We had an
account that was locked out, but the 2 admins, could not unlock.
Domain admin had to unlock the account. This is in 2003, and the
account was not a member of a restricted account. Any help on this
would be greatly appreciated.
"Richard Alexander" wrote:
Just to clarify. I have 2 admins that are part of the account
aoperators group and occassionally someone will call in with a
locked account. They pull up the account properties and see the
check there, but it is greyed account and they cannot unlock. it
is not one particular userid, and it has happened several times to
each one of them. I have since taken them out of account
operators and tried using delegation with user manage rights to
see if that resolves.
"Joe Richards [MVP]" wrote:
Dump the ACL of the user you can't modify with dsacls and post it
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
No just a regular user account. I thought maybe it was a
replication issue. Domain admins, never have the issue only the
people in account operators group..
"Joe Richards [MVP]" wrote:
Is the account the person trying to unlock also an accop or
admin or something like that? Is the ACL on the object a little
different from what you are used to seeing, say no inherited
ACEs?
Google the term adminSDHolder
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
We are running a Server 2003 single domain structure and we
have 2 servers at our corporate locations and 5 remote DCs at
remote locations all with a global catalog. Occasionally one
of our early morning staffers will need to unlock an account,
but the check box will be greyed out. I had them in the
account operators group from our old NT4 domain and read some
things about delegation. I setup a new group and did
delegation but she had the same issue this morning. I thought
it might be something with replication, but we have partial
T1s to all the remotes, so I don't think speed is an issue.
Please respond as I'm out of ideas.
Thanks
.
- References:
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- From: Richard Alexander
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- From: Richard Alexander
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- From: Richard Alexander
- Re: Field greyed out when account ops try to unlock account
- From: Joe Richards [MVP]
- Re: Field greyed out when account ops try to unlock account
- Prev by Date: # of times a user can log in w/out disableing password
- Next by Date: Re: NTDS error after using old DC name for a new server
- Previous by thread: Re: Field greyed out when account ops try to unlock account
- Next by thread: Re: joining remote client
- Index(es):
Relevant Pages
|
