Re: Delegate Control... Reset Passwords

Tech-Archive recommends: Fix windows errors by optimizing your registry

I was missing one post. Sounds that the PCAdmins was successfully removed from the "Print Operators" security group correct?

Now, the issue that you've is regarding to password delegation, right?
Assuming yes, review the steps at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"Otto" <Otto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:226A0923-CDE3-4EAA-8E9C-DFA9DB222349@xxxxxxxxxxxxxxxx
The Replication summary came back with no errors. The only error I find in
the Event Viewer is an "MRxSmb"-Event ID "8003", Master Browser error.

Also, If I check the Security properties of an actual user account, I don't
see PCAdmins in their at all, but I do see the following:
Type="Everyone", Name="Everyone", Permission="Change Password", not
inhertied, this object only.
- O

"Jorge Silva" wrote:

Either is something wrong with delegation or replication is failling, any
errors in eventlog? also type from cmd:
repadmin /replsum * /bysrc /bydest /sort:delta
check erros.

Are you working with local groups in member servers or DCs?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


"Otto" <Otto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B885686C-DE87-45DE-B9D9-4C41019AC79B@xxxxxxxxxxxxxxxx
> Well my replication worked fine. All changes replicated out. I > removed
> the
> PCAdmins from the "Print Operators" group, but still no luck. PCAdmins
> still
> cannot change user passwords in selected sub-OU's.
> - O
>
>
> "Jorge Silva" wrote:
>
>> For DCs within the same site the changes fast. Between sites, depends >> of
>> your replication configuration.
>> You can force replication to make the changes immediately to all DCs. >> You
>> can use ADSS or repadmin.
>>
>> -- >> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MCSE, MVP Directory Services
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Otto" <Otto@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:30CAF347-709A-4B6A-A68E-6337CA672797@xxxxxxxxxxxxxxxx
>> > Thanks for everyone's replies.
>> >
>> > the PCAdmins group is a member of the following two groups:
>> >
>> > - DHCP Users
>> > - Print Operators
>> >
>> > Is this my problem? If I remove them from these groups, how long >> > with
>> > replication take to my other DC's?
>> >
>> > Also, I need these users to be able to View DHCP information. How >> > can
>> > I
>> > keep this ability?
>> > - O
>> >
>> > "Jorge Silva" wrote:
>> >
>> >> Hi
>> >> pwdLastSet makes sence because you WANT to have the ability to >> >> select
>> >> the
>> >> option to force the user to change the password in the next logon. >> >> You
>> >> don't
>> >> want that Admins keep the users password. Of course you can tell >> >> the
>> >> user
>> >> to
>> >> change it by it self, but there are many companies that have this
>> >> procedure - After resetting a PW, force the user to change it. You
>> >> need
>> >> for
>> >> that Read and Write permissions in pwdLastSet attribute.
>> >> For that check:
>> >> http://support.microsoft.com/kb/296999
>> >>
>> >> Don't use existing AD groups to do that, create your own Groups and
>> >> assign
>> >> the necessary permissions to do their job. check the haow at:
>> >> RESET USER PASSWORDS
>> >> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
>> >>
>> >> -- >> >> I hope that the information above helps you.
>> >> Have a Nice day.
>> >>
>> >> Jorge Silva
>> >> MCSE, MVP Directory Services
>> >>
>> >> Please no e-mails, any questions should be posted in the NewsGroup
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >>
>> >> "JPolicelli [MVP-DS]" <JPolicelliMVPDS@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >> wrote
>> >> in
>> >> message news:%23H0dHoZSJHA.1148@xxxxxxxxxxxxxxxxxxxxxxx
>> >> >I typically do not. What is it that you want them to do with this
>> >> >attribute?
>> >> >
>> >> > -- >> >> >
>> >> > JPolicelli, MVP - Directory Services
>> >> > This posting is provided "AS IS" with no warranties and confers >> >> > no
>> >> > rights!
>> >> > http://johnpolicelli.wordpress.com/
>> >> > ----
>> >> >
>> >> > "Mark Z." <MarkZ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> > news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@xxxxxxxxxxxxxxxx
>> >> >> Did you also delegate them permission to the pwdLastSet >> >> >> attribute?
>> >> >>
>> >> >> "JPolicelli [MVP-DS]" wrote:
>> >> >>
>> >> >>> The Account Operators group is the wrong group to use. This >> >> >>> group
>> >> >>> has
>> >> >>> the
>> >> >>> permissions to create/delete InetOrgPerson objects, computer
>> >> >>> objects,
>> >> >>> group objects, and user objects on every OU in the domain by
>> >> >>> default.
>> >> >>> The
>> >> >>> goal is to reset passwords for users in selected OU's, but not
>> >> >>> all.
>> >> >>>
>> >> >>> You are headed in the right direction Otto. Your "PCAdmins, >> >> >>> Reset
>> >> >>> Password, <not inherited>, User Objects" line indicates that >> >> >>> you
>> >> >>> setup
>> >> >>> the
>> >> >>> appropriate permission to meet your goal. If you run the DSACLs
>> >> >>> command,
>> >> >>> what does it show for the PCAdmins group? You should see >> >> >>> something
>> >> >>> like
>> >> >>> this for the permission in question:
>> >> >>> Inherited to user
>> >> >>>
>> >> >>> Allow DOMAINNAME\PCAdmins Reset Password
>> >> >>>
>> >> >>> Another question...is this problem applicable to password >> >> >>> resets
>> >> >>> for
>> >> >>> all
>> >> >>> users or a subset of users? If it is the latter, check whether >> >> >>> the
>> >> >>> applicable user(s) is/are a member of a protected group:
>> >> >>> Account Operators
>> >> >>> Server Operators
>> >> >>> Print Operators
>> >> >>> Backup Operators
>> >> >>> Domain Admins
>> >> >>> Schema Admins
>> >> >>> Enterprise Admins
>> >> >>> Cert Publishers
>> >> >>>
>> >> >>> If they are, then permissions on these objects are not >> >> >>> inherited
>> >> >>> from
>> >> >>> the
>> >> >>> Domain ACL or OU ACLs. You need to delegate permissions on the
>> >> >>> AdminSDHolder object.
>> >> >>>
>> >> >>> --
>> >> >>>
>> >> >>> JPolicelli, MVP - Directory Services
>> >> >>> This posting is provided "AS IS" with no warranties and confers >> >> >>> no
>> >> >>> rights!
>> >> >>> http://johnpolicelli.wordpress.com/
>> >> >>> ----
>> >> >>>
>> >> >>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> >> >>> news:ff16fb66e2168cb171bbe074530@xxxxxxxxxxxxxxxxxxxxxxx
>> >> >>> > Hello Otto,
>> >> >>> >
>> >> >>> > Are the not working accounts members of the "Account >> >> >>> > operators"
>> >> >>> > group?
>> >> >>> >
>> >> >>> > Best regards
>> >> >>> >
>> >> >>> > Meinolf Weber
>> >> >>> > Disclaimer: This posting is provided "AS IS" with no >> >> >>> > warranties,
>> >> >>> > and
>> >> >>> confers
>> >> >>> > no rights.
>> >> >>> > ** Please do NOT email, only reply to Newsgroups
>> >> >>> > ** HELP us help YOU!!!
>> >> >>> > http://www.blakjak.demon.co.uk/mul_crss.htm
>> >> >>> >
>> >> >>> >
>> >> >>> >> I have a group of admins that are able to reset passwords >> >> >>> >> for
>> >> >>> >> users
>> >> >>> >> in
>> >> >>> >> selected OU's, but not all. Security settings appear the >> >> >>> >> same
>> >> >>> >> on
>> >> >>> >> all
>> >> >>> >> OU's, but these admins all receive the message "Access >> >> >>> >> Denied"
>> >> >>> >> when
>> >> >>> >> trying to reset passords. Here is my configuration:
>> >> >>> >>
>> >> >>> >> ADUC = <domain.com>\Admins
>> >> >>> >> Security Group - "PCAdmins"; 7 members
>> >> >>> >> OU Structure:
>> >> >>> >> <domain.com>\Community\Name1\Computers
>> >> >>> >> <domain.com>\Community\Name1\Users
>> >> >>> >> <domain.com>\Community\Name2\Computers
>> >> >>> >> <domain.com>\Community\Name2\Users
>> >> >>> >> etc...
>> >> >>> >> Security placed on "Users" OU as follows:
>> >> >>> >> - PCAdmins, Read/Write Property, <not inherited>, User >> >> >>> >> Objects
>> >> >>> >> - PCAdmins, Reset Password, <not inherited>, User Objects
>> >> >>> >> - PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object
>> >> >>> >> and
>> >> >>> >> all
>> >> >>> >> child
>> >> >>> >> objects
>> >> >>> >> - PCAdmins, Create/Delete Computer Objects, >> >> >>> >> DC=domain,DC=Com,
>> >> >>> >> This
>> >> >>> >> object
>> >> >>> >> and all child objects
>> >> >>> >> Thank you.
>> >> >>> >>
>> >> >>> >
>> >> >>> >
>> >> >>>
>> >> >
>> >>
>>


.

Relevant Pages

  • Re: Delegate Control... Reset Passwords
    ... Well my replication worked fine. ... PCAdmins from the "Print Operators" group, ... that Read and Write permissions in pwdLastSet attribute. ... RESET USER PASSWORDS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Control... Reset Passwords
    ... Either is something wrong with delegation or replication is failling, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... PCAdmins from the "Print Operators" group, ... cannot change user passwords in selected sub-OU's. ...
    (microsoft.public.windows.server.active_directory)