Re: Unlock accounts in same security group - account operators
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Mon, 13 Oct 2008 12:06:03 +0000 (UTC)
Hello colin,
Did you check this one?
http://support.microsoft.com/kb/294952/en-us
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
On 26 Sep, 13:24, "Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:
Thanks Jorge - my helpdesk guys are not in the account operators builtAre you saying that if for example my helpdesk guys are delegatedno, not if they are in the Account Operators group. Account Operators
the read/write lockout time priveledge then they will be able to
unlock one anothers accounts?
group is a protected group which in turn makes all of its members
protected objects. Because of that delegated stuff to some group on
protected objects will not work because the permissions are NOT
inherited by those protected objects (this is by design)
goto my blog and search for ADMINSDHOLDER
you'll find more info
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#
BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------
---------------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------
---------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
---------------------------------------------------------------------
---------------------
#################################################
#################################################
---------------------------------------------------------------------
---------------------
<colin.lau...@xxxxxxxxxxxxxx> wrote in message
news:248620e5-4fb3-4982-994b-4accf437f5d6@xxxxxxxxxxxxxxxxxxxxxxxxxxx
m...
OK, i take your point on board.
Are you saying that if for example my helpdesk guys are delegated
the read/write lockout time priveledge then they will be able to
unlock one anothers accounts?
Thanks.
Jorge de Almeida Pinto [MVP - DS] wrote:
do not use built in groups in AD like Account Operators, Server
Operators.
Those were for NT4 and are in AD for backwards compat purposes
during
upgrades. When using AD you should create your own groups and
delegated
stuff.
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services #
BLOG
(WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
-------------------------------------------------------------------
-----------------------
* How to ask a question -->http://support.microsoft.com/?id=555375
-------------------------------------------------------------------
-----------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
-------------------------------------------------------------------
-----------------------
#################################################
#################################################
-------------------------------------------------------------------
-----------------------
<colin.lau...@xxxxxxxxxxxxxx> wrote in message
news:c9cb22cb-be97-4d61-bb3c-4c2617a24b68@xxxxxxxxxxxxxxxxxxxxxxxxx
om...
Hi - our helpdesk staff are part of the built in AD Account
Operatore group.
I want them to be able to unlock one anothers accounts as
required. At present they this option is greyed out as expected.
Delegating the read/write lockout time option does not work as the
helpdesk uesre are in the account operators group, which is a
higher privilege group.
Any ideas folks?
Thanks very much
in group. They are part of a custom group - -the group should have the
correct delegated permissions to unlock each others accounts, this is
not the case. The account unlock permission is greyed out for
selection.
Are you able to confirm what delegated rights are required for this
type of account management? I cannot find an answer so far...
Thanks very much..
Colin.
.
- Follow-Ups:
- Re: Unlock accounts in same security group - account operators
- From: colin.laurie@xxxxxxxxxxxxxx
- Re: Unlock accounts in same security group - account operators
- References:
- Re: Unlock accounts in same security group - account operators
- From: colin.laurie@xxxxxxxxxxxxxx
- Re: Unlock accounts in same security group - account operators
- Prev by Date: Re: build now, join later
- Next by Date: Re: AS Sites and Services
- Previous by thread: Re: Unlock accounts in same security group - account operators
- Next by thread: Re: Unlock accounts in same security group - account operators
- Index(es):
Relevant Pages
|
