Re: Account Operators users changing others Account Operators user

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Tue, 21 Nov 2006 16:30:01 -0500

---

AdminSDHolder should not be affecting permissions on OU's themselves, but will impact groups and users. If your OU permissions are changing, someone or something external to MSFT is doing it.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Claude Lachapelle wrote:

I know that Domain Controller are resetting security setting of members of those builtin groups, but does they are doing the same thing to OU's security?

I'm asking that, since I'm having trouble keeping Account Operators group rights on somes OU's in a problematic Active Directory. Each time I'm resetting Acount Operators group rights (add/delete/modify all objects & child objects) at the top level OU's structure, we have to drill down the structure to make sure every OU is inheriting from parent. After doing that, few hours later, we have to re-do the same thing again, since inheritance and propagation of rights have been removed!!!

"Joe Richards [MVP]" wrote:

They are there because they are legacy hold-over from NT4 where there was no such thing as delegation.

Don't figure out what Acc Ops has and duplicate it, figure out what people need and grant that instead.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Claude Lachapelle wrote:

Thus, what is the purpose of this kind of builtin groups, if they could not do what they are intended to be?

This kind of behavior explain for what a lot of companies are giving full rights to everybody (account operators are Domain Admins!), since after using these builtin groups first, they are having troubles resetting passwords on somes accounts...

So we have now to determine exactly what security the Account Operators groups give, and create another similar group to delegate similar security, but over all required objects.

Thanks.

"Jorge de Almeida Pinto [MVP - DS]" wrote:

yep.... do not use that group or other builtin groups...delegate stuff!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Claude Lachapelle" <ClaudeLachapelle@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:EFDF1E56-C244-470E-B443-651AC3DE31A8@xxxxxxxxxxxxxxxx

Hi!

Does it exist a way for an account operators member to change/reset password
of others account operators member?

Or the only way, is to not uses this group and delegate required rights?

Thanks.

Claude Lachapelle
Systems Administrator, MCSE

.

---

• References:
  • Re: Account Operators users changing others Account Operators users pw
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: Account Operators users changing others Account Operators user
    • From: Joe Richards [MVP]
  • Re: Account Operators users changing others Account Operators user
    • From: Claude Lachapelle

• Prev by Date: Re: Finding and Disabling Inactive AD User Accounts
• Next by Date: Re: Unable to add users to local groups on member workstations
• Previous by thread: Re: Account Operators users changing others Account Operators user
• Next by thread: A Stupid (and easy) Question to Answer
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Account Operators users changing others Account Operators user ... Claude Lachapelle wrote: ... This kind of behavior explain for what a lot of companies are giving full rights to everybody (account operators are Domain Admins!), since after using these builtin groups first, they are having troubles resetting passwords on somes accounts... ... So we have now to determine exactly what security the Account Operators groups give, and create another similar group to delegate similar security, but over all required objects. ... (microsoft.public.windows.server.active_directory) Re: Confidential Attribute - ... The enhanced rights ID really shouldn't need much set on it except basic NOS attributes. ... Joe Richards Microsoft MVP Windows Server Directory Services ... I have tried first giving the permission on the attribute using DSACLS. ... (microsoft.public.windows.server.active_directory) Re: Confidential Attribute - ... One that has the enhanced rights. ... Joe Richards Microsoft MVP Windows Server Directory Services ... ADSIEDIT nor DSACLS ... (microsoft.public.windows.server.active_directory) Re: Confidential Attribute - ... Joe Richards Microsoft MVP Windows Server Directory Services ... with user objects in it the rights are inherited by all of those users except ... ADSIEDIT nor DSACLS ... (microsoft.public.windows.server.active_directory) Re: Account Operators users changing others Account Operators user ... but does they are doing the same thing to OU's security? ... since I'm having trouble keeping Account Operators group ... rights on somes OU's in a problematic Active Directory. ... Does it exist a way for an account operators member to change/reset ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)