Re: Delegation - Password Reset - Access Denied

Yes I did see that link and took a look at it.

When I set this up I used the "Step-by-Step Guide to Using Deleigation of
Control Wizard from the MS TechNet web site.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

When I review the Security on the OU and those below it in the tree, the
security group is listed to have Full Control on both User and Group objects.
Yet a user in that group gets and error when trying to reset a password. The
only way I have been able to get this working is to add that group to the
Administrators Group, which I know I should not have to do.

This lead me to review Group Policy and I don't see anything showing up
there. I've spent a day now searching the MS website for a solution before
turning to this newsgroup. There I saw an answer to a request on how to set
this up and it mentioned to add the user or group to the Administrators
group. When I did that it allowed the users in that group to reset passwords.
My thought was that that defeats the purpose of delegation and then I posted
my question.

I guess my question is what could be causing this to happen and what should
I look at next?

Thanks,

TimJM

"Jorge de Almeida Pinto [MVP - DS]" wrote:

for all the tasks you mention, those can be delegated without making
someone a member of the administrators groups or whatever other default
admin group in AD. within the links I sent you earlier you will find
information on how to configure some basic tasks.

funny, in the link I mailed earlier I show how you can delegate the password
reset task. have you seen that?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"TimJM" <TimJM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8CB185C1-F97A-465A-9ECD-E76AE5BA6D8E@xxxxxxxxxxxxxxxx
Yes the inheritance check box is checked. I've also reviewed the security
settings and everything looks like it is set properly.

I have also reviewed all of the links you supplied and none of those are
correcting the issue.

It still doesn't answer my question that does adding a user to the
Administrators Group defeat the purpose of using Deligation?

"Jorge de Almeida Pinto [MVP - DS]" wrote:

is the inheritance checkbox checked or unchecked?
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"TimJM" <TimJM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6B45477-9F43-40F7-BA6F-E328192739D3@xxxxxxxxxxxxxxxx
I have setup a group as delegate to an OU. This group has Create,
delete,
Manage User accounts & Groups, Reset user password, read all user info,
and
Modify Group Memebership.

I have setup a custom TaskPad for them to use. When a user in this
group
tries to Reset a Users Password the get an Access Denied error. I read
in
another post on this group that that group needs to be in the
Administrators
group. Doesn't this defeat the whole purpose of deligating control?

When I do add this group into the Admins Group a user of that group can
Reset Passwords. Am I missing something?

TimJM






.

Relevant Pages

  • Re: BIOS startup ??
    ... the reset threshold of the processor, ... disk drives have their heads ... clocks in the system, for buss access, video control, port clocking etc. ... And typically all the clocks are ...
    (Fedora)
  • RE: Hidden WebBrowser stealing focus
    ... So if you there is another way to prevent the WebBrowser from taking focus ... control does not expose any interface for changing this behavior and the ... we have to reset back the focus into the original ... sent to the original focused control, so logically, we can monitor ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: cant reset a hidden field in form
    ... browser "Reset this form" and that is what the browser does. ... Naming a control you cannot control a control only makes me laugh ... illogical argumentation. ... so arguing it must be logical, and that it is specified that way is ...
    (comp.lang.javascript)
  • Re: parallel port relay control
    ... >> circuit works fine and I am able to control it with my software. ... I need the relay to remain off until my ... > Use a counter with an active low reset. ...
    (sci.electronics.design)
  • Re: Remote Access to Services
    ... Control what is in your ... Administrators group as a start, ... control what accounts are granted the user rights ... Currently if someone on our network opens ...
    (microsoft.public.windowsxp.security_admin)
Loading