Re: Unlock accounts in same security group - account operators

On 13 Oct, 13:06, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello colin,

Did you check this one?http://support.microsoft.com/kb/294952/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

On 26 Sep, 13:24, "Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:

Are you saying that if for example my helpdesk guys are delegated
the read/write lockout time priveledge then they will be able to
unlock one anothers accounts?

no, not if they are in the Account Operators group. Account Operators
group is a protected group which in turn makes all of its members
protected objects. Because of that delegated stuff to some group on
protected objects will not work because the permissions are NOT
inherited by those protected objects (this is by design)

goto my blog and search for ADMINSDHOLDER

you'll find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#

BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
---------------------------------------------------------------------
---------------------
* How to ask a question -->http://support.microsoft.com/?id=555375
---------------------------------------------------------------------
---------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
---------------------------------------------------------------------
---------------------
#################################################
#################################################
---------------------------------------------------------------------
---------------------
<colin.lau...@xxxxxxxxxxxxxx> wrote in message

news:248620e5-4fb3-4982-994b-4accf437f5d6@xxxxxxxxxxxxxxxxxxxxxxxxxxx
m...

OK, i take your point on board.

Are you saying that if for example my helpdesk guys are delegated
the read/write lockout time priveledge then they will be able to
unlock one anothers accounts?

Thanks.

Jorge de Almeida Pinto [MVP - DS] wrote:

do not use built in groups in AD like Account Operators, Server
Operators.
Those were for NT4 and are in AD for backwards compat purposes
during
upgrades. When using AD you should create your own groups and
delegated
stuff.
see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services #

BLOG
(WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
-------------------------------------------------------------------
-----------------------
* How to ask a question -->http://support.microsoft.com/?id=555375
-------------------------------------------------------------------
-----------------------
* This posting is provided "AS IS" with no warranties and confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
-------------------------------------------------------------------
-----------------------
#################################################
#################################################
-------------------------------------------------------------------
-----------------------
<colin.lau...@xxxxxxxxxxxxxx> wrote in message
news:c9cb22cb-be97-4d61-bb3c-4c2617a24b68@xxxxxxxxxxxxxxxxxxxxxxxxx
om...
Hi  - our helpdesk staff are part of the built in AD Account
Operatore group.

I want them to be able to unlock one anothers accounts as
required. At present they this option is greyed out as expected.

Delegating the read/write lockout time option does not work as the
helpdesk uesre are in the account operators group, which is a
higher privilege group.

Any ideas folks?

Thanks very much

Thanks Jorge - my helpdesk guys are not in the account operators built
in group. They are part of a custom group - -the group should have the
correct delegated permissions to unlock each others accounts, this is
not the case. The account unlock permission is greyed out for
selection.

Are you able to confirm what delegated rights are required for this
type of account management? I cannot find an answer so far...

Thanks very much..

Colin.

Meinolf - This the exact document i followed, which does not work for
me.

Thanks.
.

Relevant Pages

  • Re: Install Windows Patch via GPO
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.group_policy)
  • Re: Trust windows 2k to windows 2k3
    ... This posting is provided "AS-IS" with no warranties or guarantees and ... confers no rights. ... only reply to Newsgroups ...
    (microsoft.public.windows.server.active_directory)
  • Re: Trust windows 2k to windows 2k3
    ... This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. ... only reply to Newsgroups ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing a 360 Media Center Extender
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.mediacenter)
  • Re: Trust windows 2k to windows 2k3
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... only reply to Newsgroups ...
    (microsoft.public.windows.server.active_directory)
Loading