Re: Unlock accounts in same security group - account operators

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

you need read/write permissions on lockoutTime attribute of the user objects in question

make sure that:
* permissions configured on the OU flow to child objects (this object and descendant objects)
* child objects inherit the permissions from the parent (inheritance is enabled)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

<colin.laurie@xxxxxxxxxxxxxx> wrote in message news:6e69eee4-103c-4fdc-8d68-69ad0b3e727b@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 26 Sep, 13:24, "Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:
> Are you saying that if for example my helpdesk guys are delegated the
> read/write lockout time priveledge then they will be able to unlock
> one anothers accounts?

no, not if they are in the Account Operators group. Account Operators group
is a protected group which in turn makes all of its members protected
objects. Because of that delegated stuff to some group on protected objects
will not work because the permissions are NOT inherited by those protected
objects (this is by design)

goto my blog and search for ADMINSDHOLDER

you'll find more info

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question -->http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

<colin.lau...@xxxxxxxxxxxxxx> wrote in message

news:248620e5-4fb3-4982-994b-4accf437f5d6@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

> OK, i take your point on board.

> Are you saying that if for example my helpdesk guys are delegated the
> read/write lockout time priveledge then they will be able to unlock
> one anothers accounts?

> Thanks.

> Jorge de Almeida Pinto [MVP - DS] wrote:

>> do not use built in groups in AD like Account Operators, Server
>> Operators.
>> Those were for NT4 and are in AD for backwards compat purposes during
>> upgrades. When using AD you should create your own groups and >> delegated
>> stuff.

>> see:
>>http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

>> --

>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)

>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services >> #

>> BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question -->http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before >> implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------

>> <colin.lau...@xxxxxxxxxxxxxx> wrote in message
>>news:c9cb22cb-be97-4d61-bb3c-4c2617a24b68@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > Hi - our helpdesk staff are part of the built in AD Account >> > Operatore
>> > group.

>> > I want them to be able to unlock one anothers accounts as required. >> > At
>> > present they this option is greyed out as expected.

>> > Delegating the read/write lockout time option does not work as the
>> > helpdesk uesre are in the account operators group, which is a higher
>> > privilege group.

>> > Any ideas folks?

>> > Thanks very much

Thanks Jorge - my helpdesk guys are not in the account operators built
in group. They are part of a custom group - -the group should have the
correct delegated permissions to unlock each others accounts, this is
not the case. The account unlock permission is greyed out for
selection.

Are you able to confirm what delegated rights are required for this
type of account management? I cannot find an answer so far...

Thanks very much..

Colin.

.

Relevant Pages

  • Re: Problem managing accounts in protected groups
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... have created a new group called Account Management. ... The permissions for this group have been applied to OU B and it ... or passwords for the users in the protected groups. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Taskpad Delegation
    ... account objects in the same OU, and all the rest of the account objects work. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... so somewhere there is a permissions problem. ...
    (microsoft.public.windows.server.active_directory)
  • Re: permissions changing
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... and the permissions on all the users folders had been changed. ... "change password" permission on every person's account. ... when I returned to the server 2 hours later all the "rogue" permissions were ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Security permissions
    ... administrator account. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... you click on Advanced, have Inheritance checked. ... users/groups if necessary and apply permissions and those permissions ...
    (microsoft.public.windows.server.active_directory)
  • Re: Administrator Account Access
    ... The Account Operators group is set with its default permissions to allow its ... >> As far as the Administrator Account,...just reset the password to ...
    (microsoft.public.security)