Re: Problem managing accounts in protected groups

Hello Steve,

If your normal domain users that manage accounts are aible to manage also the higher level administrators, you kick yourself in..... Never heard about that someone will give more security permissions to users then to the admins.

I think you have realized that the account management group is able to reset a domain admins password and work themself as admin if your configuration gets working completely?

What's the reason for this kind of configuration?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Before I ask my question, here is our basic setup:

We have a single Windows 2003 Domain. Within the domain there are two
OUs that contain users. OU A has users who DO NOT have desktop
restictions through GPOs and OU B is for users who DO HAVE some
desktop restrictions. We have created a new group called Account
Management. This group contains users in both OUs and should have
permission to unlock accounts and reset passwords. The permissions for
this group have been applied to OU B and it all works perfectly. The
permissions for this group have also been applied to OU A.

Here is the problem. Most members of OU A are either members of Domain
Admins or Backup Operators. Even after setting the permissions on the
AdminSDHolder container and having those permissions propagate to the
protected accounts, the Account Mangement group still cannot manage
lockouts
or passwords for the users in the protected groups. Users in OU A who
are not
in protected groups can be managed properly.
I know that there is a way to remove certain groups from being
protected,
but I do not have permission to do that.
How can I get this group to be able to manage members of the protected
groups? I would appreciate suggestions for other things to try, or
pointers in the right direction. Thank you.



.

Relevant Pages

  • Re: File Sharing (again - sorry, Pd)
    ... InTerminal, type umask. ... Back in the good old days, Mac OS X user accounts ... The reason that the file permissions are "resetting" each time the ... that folder inherit the ACLs from the folder. ...
    (uk.comp.sys.mac)
  • Re: Security Group Keeps getting removed???
    ... ACL on all security principals (users, groups, and machine accounts) present ... Delegated permissions are not available and inheritance is automatically ... AdminSDHolder Object Affects Delegation of Control for Past Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating AD Rights (Enable/Disable Accounts)
    ... I will definitely pass it on to my Customer ... user accounts in AD to non-admin staff so that they will be able to ... permissions as Domain User rights will work just fine. ... The UMRA ...
    (microsoft.public.windows.server.scripting)
  • Re: Delegation - Password Reset - Access Denied
    ... If you go to properties of an AD object, select the security tab and click ... on advanced you should be on the permissions tab. ... WARNING - Any implicit permissions defined will be lost and reset back to ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Win2k - Account Operator not working properly
    ... The tool is a command line tool from Microsoft to enumerate the permissions on an object. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW accounts in OUs beneath the top-level OU. ...
    (microsoft.public.windows.server.active_directory)
Loading