Re: Delegate Control... Reset Passwords
- From: Mark Z. <MarkZ@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 18 Nov 2008 08:06:22 -0800
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has the.
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default. The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you setup the
appropriate permission to meet your goal. If you run the DSACLs command,
what does it show for the PCAdmins group? You should see something like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@xxxxxxxxxxxxxxxxxxxxxxx
Hello Otto,confers
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
<domain.com>\Community\Name1\Computers
<domain.com>\Community\Name1\Users
<domain.com>\Community\Name2\Computers
<domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
- Follow-Ups:
- Re: Delegate Control... Reset Passwords
- From: JPolicelli [MVP-DS]
- Re: Delegate Control... Reset Passwords
- References:
- Delegate Control... Reset Passwords
- From: Otto
- Re: Delegate Control... Reset Passwords
- From: Meinolf Weber
- Re: Delegate Control... Reset Passwords
- From: JPolicelli [MVP-DS]
- Delegate Control... Reset Passwords
- Prev by Date: Re: Add 'Account Operator' to Local Workstation Administrators Group?
- Next by Date: Re: LDAP single point of failure
- Previous by thread: Re: Delegate Control... Reset Passwords
- Next by thread: Re: Delegate Control... Reset Passwords
- Index(es):
Relevant Pages
|
Loading
