Re: Account Operators users changing others Account Operators user
- From: Claude Lachapelle <ClaudeLachapelle@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Nov 2006 05:47:02 -0800
I know that Domain Controller are resetting security setting of members of
those builtin groups, but does they are doing the same thing to OU's security?
I'm asking that, since I'm having trouble keeping Account Operators group
rights on somes OU's in a problematic Active Directory. Each time I'm
resetting Acount Operators group rights (add/delete/modify all objects &
child objects) at the top level OU's structure, we have to drill down the
structure to make sure every OU is inheriting from parent. After doing that,
few hours later, we have to re-do the same thing again, since inheritance and
propagation of rights have been removed!!!
"Joe Richards [MVP]" wrote:
They are there because they are legacy hold-over from NT4 where there.
was no such thing as delegation.
Don't figure out what Acc Ops has and duplicate it, figure out what
people need and grant that instead.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Claude Lachapelle wrote:
Thus, what is the purpose of this kind of builtin groups, if they could not
do what they are intended to be?
This kind of behavior explain for what a lot of companies are giving full
rights to everybody (account operators are Domain Admins!), since after using
these builtin groups first, they are having troubles resetting passwords on
somes accounts...
So we have now to determine exactly what security the Account Operators
groups give, and create another similar group to delegate similar security,
but over all required objects.
Thanks.
"Jorge de Almeida Pinto [MVP - DS]" wrote:
yep.... do not use that group or other builtin groups...delegate stuff!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Claude Lachapelle" <ClaudeLachapelle@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:EFDF1E56-C244-470E-B443-651AC3DE31A8@xxxxxxxxxxxxxxxx
Hi!
Does it exist a way for an account operators member to change/reset
password
of others account operators member?
Or the only way, is to not uses this group and delegate required rights?
Thanks.
Claude Lachapelle
Systems Administrator, MCSE
- Follow-Ups:
- Re: Account Operators users changing others Account Operators user
- From: Joe Richards [MVP]
- Re: Account Operators users changing others Account Operators user
- References:
- Re: Account Operators users changing others Account Operators users pw
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Account Operators users changing others Account Operators user
- From: Joe Richards [MVP]
- Re: Account Operators users changing others Account Operators users pw
- Prev by Date: Re: Finding and Disabling Inactive AD User Accounts
- Next by Date: Re: Sorting ADAM-Queries in Outlook
- Previous by thread: Re: Account Operators users changing others Account Operators user
- Next by thread: Re: Account Operators users changing others Account Operators user
- Index(es):
Relevant Pages
|
Loading
