Re: Delegate Control... Reset Passwords

For DCs within the same site the changes fast. Between sites, depends of your replication configuration.
You can force replication to make the changes immediately to all DCs. You can use ADSS or repadmin.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"Otto" <Otto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:30CAF347-709A-4B6A-A68E-6337CA672797@xxxxxxxxxxxxxxxx
Thanks for everyone's replies.

the PCAdmins group is a member of the following two groups:

- DHCP Users
- Print Operators

Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?

Also, I need these users to be able to View DHCP information. How can I
keep this ability?
- O

"Jorge Silva" wrote:

Hi
pwdLastSet makes sence because you WANT to have the ability to select the
option to force the user to change the password in the next logon. You don't
want that Admins keep the users password. Of course you can tell the user to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You need for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999

Don't use existing AD groups to do that, create your own Groups and assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"JPolicelli [MVP-DS]" <JPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23H0dHoZSJHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
>I typically do not. What is it that you want them to do with this
>attribute?
>
> -- >
> JPolicelli, MVP - Directory Services
> This posting is provided "AS IS" with no warranties and confers no > rights!
> http://johnpolicelli.wordpress.com/
> ----
>
> "Mark Z." <MarkZ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@xxxxxxxxxxxxxxxx
>> Did you also delegate them permission to the pwdLastSet attribute?
>>
>> "JPolicelli [MVP-DS]" wrote:
>>
>>> The Account Operators group is the wrong group to use. This group has
>>> the
>>> permissions to create/delete InetOrgPerson objects, computer objects,
>>> group objects, and user objects on every OU in the domain by default.
>>> The
>>> goal is to reset passwords for users in selected OU's, but not all.
>>>
>>> You are headed in the right direction Otto. Your "PCAdmins, Reset
>>> Password, <not inherited>, User Objects" line indicates that you >>> setup
>>> the
>>> appropriate permission to meet your goal. If you run the DSACLs >>> command,
>>> what does it show for the PCAdmins group? You should see something >>> like
>>> this for the permission in question:
>>> Inherited to user
>>>
>>> Allow DOMAINNAME\PCAdmins Reset Password
>>>
>>> Another question...is this problem applicable to password resets for >>> all
>>> users or a subset of users? If it is the latter, check whether the
>>> applicable user(s) is/are a member of a protected group:
>>> Account Operators
>>> Server Operators
>>> Print Operators
>>> Backup Operators
>>> Domain Admins
>>> Schema Admins
>>> Enterprise Admins
>>> Cert Publishers
>>>
>>> If they are, then permissions on these objects are not inherited from
>>> the
>>> Domain ACL or OU ACLs. You need to delegate permissions on the
>>> AdminSDHolder object.
>>>
>>> --
>>>
>>> JPolicelli, MVP - Directory Services
>>> This posting is provided "AS IS" with no warranties and confers no
>>> rights!
>>> http://johnpolicelli.wordpress.com/
>>> ----
>>>
>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb66e2168cb171bbe074530@xxxxxxxxxxxxxxxxxxxxxxx
>>> > Hello Otto,
>>> >
>>> > Are the not working accounts members of the "Account operators" >>> > group?
>>> >
>>> > Best regards
>>> >
>>> > Meinolf Weber
>>> > Disclaimer: This posting is provided "AS IS" with no warranties, >>> > and
>>> confers
>>> > no rights.
>>> > ** Please do NOT email, only reply to Newsgroups
>>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> >
>>> >
>>> >> I have a group of admins that are able to reset passwords for >>> >> users
>>> >> in
>>> >> selected OU's, but not all. Security settings appear the same on >>> >> all
>>> >> OU's, but these admins all receive the message "Access Denied" >>> >> when
>>> >> trying to reset passords. Here is my configuration:
>>> >>
>>> >> ADUC = <domain.com>\Admins
>>> >> Security Group - "PCAdmins"; 7 members
>>> >> OU Structure:
>>> >> <domain.com>\Community\Name1\Computers
>>> >> <domain.com>\Community\Name1\Users
>>> >> <domain.com>\Community\Name2\Computers
>>> >> <domain.com>\Community\Name2\Users
>>> >> etc...
>>> >> Security placed on "Users" OU as follows:
>>> >> - PCAdmins, Read/Write Property, <not inherited>, User Objects
>>> >> - PCAdmins, Reset Password, <not inherited>, User Objects
>>> >> - PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and >>> >> all
>>> >> child
>>> >> objects
>>> >> - PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
>>> >> object
>>> >> and all child objects
>>> >> Thank you.
>>> >>
>>> >
>>> >
>>>
>


.

Relevant Pages

  • Re: DFS Replication and Share Permissions
    ... granting no permissions to E:\ will mean that people can't map ... > a remote server, with no tape drive to another server, which does have ... > didn't have to configure replication for three individual shares. ... If you are using Directory Services DFS ...
    (microsoft.public.win2000.active_directory)
  • Re: Programs and Group Policies
    ... > resides under the shared folder. ... >> If the NTFS permissions are more restrictive than the share permissions, ... and several other users with that are in the Domain Admins group on ... Indicating that Domain Admins are in the local ...
    (microsoft.public.windows.server.sbs)
  • Re: "Domain Admins", user account and privileges
    ... permissions for "domain users" are restricted? ... Restricting permission are done with DENY, ... and FC to Admins in no way restricts the admins. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... Restricted Admins group to mitigate against what you propose Deji. ... This posting is provided "AS IS" with no warranties and confers no rights! ... you need to understand that permissions on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Computer componet of GP not being applied
    ... Enterprise Admins: everything but full control ... That is quite possibly related to groups and permissions. ... > click Properties and then look at the Security tab. ...
    (microsoft.public.windows.group_policy)
Loading