Re: Delegate Control in AD

No.
Having the MMC and reading AD does not allow you to reset passwords.
If you look at AD through AdsiEdit you can see the range of attributes, only
some of which are exposed in the MMC. They are all controlled by ACLs, so if
you don't have the right to reset the password you can't do it.
Anthony,
http://www.airdesk.com





"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3F25A230-3B85-4E57-82D0-2BE70CA04397@xxxxxxxxxxxxxxxx
Anthony -

The passwords did change. I will have to double-check the permissions on
the
objects. Even if "Everyone" has the "Read" permissions should this still
allow for someone to change passwords that they have not been delegated to
do
so?

"Anthony" wrote:

Joe,
Even tho the Delegate wizard makes it easier to delegate, you can see the
actual permissions on the Security tab of the AD objects. In answer to
your
detailed points:
- everyone can read
- did you check whether the passwords were _actually_ changed?
Anthony,
http://www.airdesk.co.uk



"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9567BA85-6858-45C6-915B-C4BCA1139F84@xxxxxxxxxxxxxxxx
Greetings!

I have a Windows 2003 AD domain, single domain/single forest. I am
trying
to
delegate control of a specific sub-OU to a specific user account. Right
now
the OU stucture is as follows:

Sales OU - (which contains)
>>Sales Admins OU
>>Sales Users OU

I ran the "Delegate Control" wizard on the "Sales Users OU" and gave a
specific NON-administrator account (from the "Sales Admins OU") the
ability
to "Read all user information" and "Reset user passwords/force password
change at logon". I then installed the adminpak on the PC of the user I
delegated control to. When that user opens up the AD Users and
Computers
MMC
they can reset pwds on the "Sales Users OU". !!!!BUT!!!!! They can also
browse the entire AD structure and reset passwords for anyone in AD!!
Again
this user does not belong to any domain admin groups (actually they are
a
member of "domain users" only). Is there something I am missing here?
The
user account should only be able to reset pwds on the "Sales Users OU"
if
I
delegate control to ONLY that OU. Are there security permissions on the
AD
objects that need to be adjusted after you delegate control to a
specific
OU?
Any feedback would be greatly appreciated.

Joe
jshearer2112@xxxxxxxxxxx






.

Relevant Pages

  • RE: Single sign on
    ... How to authentificate an user via telephon? ... > Avatier has a product which would allow users to reset their own passwords ... >> for the person whose account is reset. ... >> would only be accessible by the person whose account is reset. ...
    (Security-Basics)
  • Re: Hacked
    ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ...
    (microsoft.public.security)
  • Re: Hacked
    ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ...
    (microsoft.public.security)
  • Re: Hacked
    ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ...
    (microsoft.public.security)
  • Re: Hacked
    ... *consider, having every user reset his/her passwords, and reset all service accounts. ... I've done a full scan and the server is clean. ...
    (microsoft.public.security)
Loading