Re: Delegation - Password Reset - Access Denied
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Dec 2006 16:38:15 -0600
You attempt to see if the permissions are being applied as you expected.
Open up a user's properties and select the security tab, click on advanced,
select the effective permissions tab, click on select and enter a user in
and select ok.
What permissions are shown in the window? Are they what you expected?
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"TimJM" <TimJM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:33231D18-CE57-4A1C-9D28-5C125DD50A67@xxxxxxxxxxxxxxxx
I understand that and that is what I'm trying to avoid. I feel I have
followed the correct procedure to delegate a group to manage a branch of
the
AD. This group is closed to the needs of those users and will be the 1st
line
of help. I want them to create users and security groups, place users in
those groups and reset passwords when needed.
The issue is it everything looks like it is setup properly, but when a
user
in this group tries to reset a password, they get an access denied
message. I
have reviewed permissions and they look correct. The group has Full
control
on both group and User objects. These permissions are inherited from the
OU
above.
To me it looks like something else is preventing the user in this group
from
resetting passwords, and that is what I'm looking for direction on as to
where else beside the KB to look for this answer?
TimJM
"Paul Bergson [MVP-DS]" wrote:
Don't ever place a user in any of the Administrative groups unless you
are
willing to provide them administrative privileges.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"TimJM" <TimJM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6B45477-9F43-40F7-BA6F-E328192739D3@xxxxxxxxxxxxxxxx
I have setup a group as delegate to an OU. This group has Create,
delete,
Manage User accounts & Groups, Reset user password, read all user info,
and
Modify Group Memebership.
I have setup a custom TaskPad for them to use. When a user in this
group
tries to Reset a Users Password the get an Access Denied error. I read
in
another post on this group that that group needs to be in the
Administrators
group. Doesn't this defeat the whole purpose of deligating control?
When I do add this group into the Admins Group a user of that group can
Reset Passwords. Am I missing something?
TimJM
.
- Follow-Ups:
- Re: Delegation - Password Reset - Access Denied
- From: TimJM
- Re: Delegation - Password Reset - Access Denied
- References:
- Re: Delegation - Password Reset - Access Denied
- From: Paul Bergson [MVP-DS]
- Re: Delegation - Password Reset - Access Denied
- Prev by Date: Re: AD 2000 to 2003
- Next by Date: Re: Computer Accounts need to be reset
- Previous by thread: Re: Delegation - Password Reset - Access Denied
- Next by thread: Re: Delegation - Password Reset - Access Denied
- Index(es):
Relevant Pages
|
