Re: Delegate Account reset not working...
- From: "Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2007 15:17:47 -0600
I don't know if it is on topic here - I was looking for some related info a
few years ago and never could find a newsgroup where the question seemed
on-topic! ;-)
A custom console that shows only one OU would certainly discourage your
password setters from browsing elsewhere, but I don't see how you could
prevent them from creating their own console showing the entire directory.
/Al
"tke402" <tke402@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E36C21B8-1A99-47E2-9BE9-982AC107332C@xxxxxxxxxxxxxxxx
I agree I do not want to do that.
Custom MMC. Yes maybe that's what I need, so that there is no exploring
other users and OUs! HHhhmmm creating a custom MMC, that a topic for
another
thread?
Thanks,
Chris
"Jorge Silva" wrote:
Read access is given by default, if you want to deny read access you can
end
up by dening read access to other important objects like GPOs. In my
opinion
you shouldn't mess with that.
Why don't you create a custom mmc console and distribut it to those
users.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
--------------------------------------------------
"tke402" <tke402@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4FE39516-A48F-4DD9-BA51-72A723594734@xxxxxxxxxxxxxxxx
It looks like the users were in a group that was previously given
delegation
access to reset all users accounts in the domain. I removed the user
from
this group and created a specific group for this OU. I then added the
user
to
this group and it works. However, the user can still see all the other
OU's
and accounts. The user doesn't have permission to change anything but I
don't
even want the user to view anything else besides the delegated OU. Any
ideas
on how to accomplish this?
Thanks
TKE402
"Jorge Silva" wrote:
correct. It should only give control over that specific OU.
Can you check if that group have any other permissions on other
existing
OUs?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
--------------------------------------------------
"tke402" <tke402@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:243CAD01-EF6F-47BE-97F8-7C139A6A4E65@xxxxxxxxxxxxxxxx
Sorry maybe I wasn't clear. I right clicked on that particualr OU
and
ran
the
delegation wizard. Shouldn't that have only given the reset
permission
to
that particualr OU?
"Jorge Silva" wrote:
Hi tke402
You should delegate these rights only to that specific OU.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
--------------------------------------------------
"tke402" <tke402@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:335D0663-3953-4E5B-8496-52ACDC28DADC@xxxxxxxxxxxxxxxx
Hi,
I would like to delegate the ability to account reset and
password
reset
to
a specific group for a specific OU. I created PWDRESET group and
I
used
the
delegation wizard and assigned the permission to this group to
reset
the
Sales OU accounts. However, when I log in as a member of this
group,
I
have
access to reset all accounts in the domain. I would like to know
how
to
fix
this so that the PWDRESET group will only be able to reset the
Sales
OU
accounts and only see the Sales OU.
Thanks
TKE402
.
- References:
- Re: Delegate Account reset not working...
- From: Jorge Silva
- Re: Delegate Account reset not working...
- From: Jorge Silva
- Re: Delegate Account reset not working...
- From: tke402
- Re: Delegate Account reset not working...
- From: Jorge Silva
- Re: Delegate Account reset not working...
- From: tke402
- Re: Delegate Account reset not working...
- Prev by Date: Re: Delegate Account reset not working...
- Next by Date: Event Log Permissions via SDDL (KB 323076)
- Previous by thread: Re: Delegate Account reset not working...
- Next by thread: Re: Delegate Account reset not working...
- Index(es):
Relevant Pages
|
