Re: Giving rights to a group to reset and unlock users in a AD domain

From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
Date: Tue, 7 Jul 2009 19:30:59 +0000 (UTC)

Hello sqldbaguy,

To reset password use the "delgate control" wizard and also use the settings in the article to give the permissions to unlock accounts:
http://support.microsoft.com/kb/294952/en-us

Do not use the builtin groups for that, create your own security group. The AdminSDHolder process runs on some protected groups and removes delegated permissions and inheritance if set. See also:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hi guys,

Im new here. I have a problem that I hope you guys can help with. Our
A.D. guy has quit so they are giving me (the SQL DBA guy) the
responsibilities.

I am trying to add this group of users, who we are calling the
"Account Password Reset group" and I need to give them the right to
reset any user password, and also unlock a user in the domain. The
only problem is, when I add that group under Account Operators it
doesn't work. My users get an Access Denied error or something like
that. And they can only reset and unlock users within their own
"Account Password Reset group". It works when I put them under Domain
Admin group, but those privileges are too broad, and our director does
not want them with all those rights. Is there another built in group I
could use, or a way to modify their rights so they can have privileges
to unlock and reset user accounts?

Please help me, I have to have this fixed very soon and I dont need to
lose my job with the way the market is right now. Please help me.

Thanks

http://forums.techarena.in

References:
- Giving rights to a group to reset and unlock users in a AD domain
  - From: sqldbaguy

Prev by Date: Re: Secondary (backup) domain controller not working ?
Next by Date: Re: Secondary (backup) domain controller not working ?
Previous by thread: Re: Giving rights to a group to reset and unlock users in a AD domain
Next by thread: Secondary (backup) domain controller not working ?
Index(es):
- Date
- Thread

Relevant Pages

Re: Delegate Control... Reset Passwords
... Also, If I check the Security properties of an actual user account, I don't ... PCAdmins from the "Print Operators" group, ... that Read and Write permissions in pwdLastSet attribute. ... RESET USER PASSWORDS ...
(microsoft.public.windows.server.active_directory)
Re: Password Reset and Unlock unable to disable..
... Even though the pick is there, if the delegation is done correctly they will not be able to do a reset or unlock. ... Even under the Account tab the option user must change the password for the next logon is not deem. ... and I have don;t have the full administration access to modify certain group or security permission but I able to view it. ...
(microsoft.public.win2000.active_directory)
RE: Password disappears
... account password will be reset to empty automatic. ... SBS infected by Trojan horse. ... Configure account lockout policy. ...
(microsoft.public.windows.server.sbs)
RE: Quick question on resetting computer accounts in AD
... and recreating the account. ... Is it okay to use the reset account function? ... SBS Server Management console does not have "Reset Account" command to ... In fact, the SBS Server Management console has already integrated ADUC, you ...
(microsoft.public.windows.server.sbs)
Re: Account Lockout
... "How to Grant Help Desk Personnel the Specific Right to Unlock Locked ... the reset it executed and the flag is cleared. ... bactchjob that calls CHOICE to ask "reset account ". ... >user account (local computer, not domain user account) ...
(Security-Basics)