Re: Problem managing accounts in protected groups
- From: Steve <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 29 Sep 2008 07:13:01 -0700
Meinolf,
I know that the request seems strange, but the members of the new group are
not just any users.
We are a small company. we have two domain admins: the IT Manager and the
Network Admin. It is not uncommon for only one of us to be in the building.
If one of us is locked out without the other here, it is a big hassle because
not only can we not do OUR work, we can't help anyone else either. The others
that would be in the Account Management group would be the CFO/CIO and our
System Support person (who the member of Backup Operators). We would like for
one of them to be able to unlock one of the Admins if they become locked when
the other isn't there.
I hope that makes things a little clearer.
--
Technical Support is usually neither.
"Meinolf Weber" wrote:
Hello Steve,.
If your normal domain users that manage accounts are aible to manage also
the higher level administrators, you kick yourself in..... Never heard about
that someone will give more security permissions to users then to the admins.
I think you have realized that the account management group is able to reset
a domain admins password and work themself as admin if your configuration
gets working completely?
What's the reason for this kind of configuration?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Before I ask my question, here is our basic setup:
We have a single Windows 2003 Domain. Within the domain there are two
OUs that contain users. OU A has users who DO NOT have desktop
restictions through GPOs and OU B is for users who DO HAVE some
desktop restrictions. We have created a new group called Account
Management. This group contains users in both OUs and should have
permission to unlock accounts and reset passwords. The permissions for
this group have been applied to OU B and it all works perfectly. The
permissions for this group have also been applied to OU A.
Here is the problem. Most members of OU A are either members of Domain
Admins or Backup Operators. Even after setting the permissions on the
AdminSDHolder container and having those permissions propagate to the
protected accounts, the Account Mangement group still cannot manage
lockouts
or passwords for the users in the protected groups. Users in OU A who
are not
in protected groups can be managed properly.
I know that there is a way to remove certain groups from being
protected,
but I do not have permission to do that.
How can I get this group to be able to manage members of the protected
groups? I would appreciate suggestions for other things to try, or
pointers in the right direction. Thank you.
- Follow-Ups:
- Re: Problem managing accounts in protected groups
- From: Meinolf Weber
- Re: Problem managing accounts in protected groups
- References:
- Problem managing accounts in protected groups
- From: Steve
- Re: Problem managing accounts in protected groups
- From: Meinolf Weber
- Problem managing accounts in protected groups
- Prev by Date: Re: 2008 DC on 2003 forest, dcpromo fails after adprep
- Next by Date: Re: 2008 DC on 2003 forest, dcpromo fails after adprep
- Previous by thread: Re: Problem managing accounts in protected groups
- Next by thread: Re: Problem managing accounts in protected groups
- Index(es):
Relevant Pages
|
