| View previous topic :: View next topic
|
| Author |
Message |
Otto
Guest
|
 Posted: Mon Nov 17, 2008 7:53 pm Post subject: Delegate Control... Reset Passwords |
 |
|
|
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all OU's,
but these admins all receive the message "Access Denied" when trying to reset
passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
<domain.com>\Community\Name1\Computers
<domain.com>\Community\Name1\Users
<domain.com>\Community\Name2\Computers
<domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This object
and all child objects
Thank you.
|
|
| Back to top |
|
 |
Guest
Guest
Posts
Location
|
| Posted: Mon Nov 17, 2008 7:53 pm Post subject: Google Ads |
|
|
|
|
|
| Back to top |
|
|
Meinolf Weber
Guest
|
| Posted: Mon Nov 17, 2008 9:34 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
| Quote: | I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
JPolicelli [MVP-DS]
Guest
|
| Posted: Tue Nov 18, 2008 1:41 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
The Account Operators group is the wrong group to use. This group has the permissions to create/delete InetOrgPerson objects, computer objects, group objects, and user objects on every OU in the domain by default. The goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset Password, <not inherited>, User Objects" line indicates that you setup the appropriate permission to meet your goal. If you run the DSACLs command, what does it show for the PCAdmins group? You should see something like this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all users or a subset of users? If it is the latter, check whether the applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from the Domain ACL or OU ACLs. You need to delegate permissions on the AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
| Quote: | Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Mark Z.
Guest
|
| Posted: Tue Nov 18, 2008 3:06 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
| Quote: | The Account Operators group is the wrong group to use. This group has the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default. The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you setup the
appropriate permission to meet your goal. If you run the DSACLs command,
what does it show for the PCAdmins group? You should see something like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
JPolicelli [MVP-DS]
Guest
|
| Posted: Tue Nov 18, 2008 3:23 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
I typically do not. What is it that you want them to do with this attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
| Quote: | Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default. The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you setup
the
appropriate permission to meet your goal. If you run the DSACLs command,
what does it show for the PCAdmins group? You should see something like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Tue Nov 18, 2008 7:35 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Hi
pwdLastSet makes sence because you WANT to have the ability to select the
option to force the user to change the password in the next logon. You don't
want that Admins keep the users password. Of course you can tell the user to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You need for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com> wrote in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
| Quote: | I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has
the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default.
The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you setup
the
appropriate permission to meet your goal. If you run the DSACLs command,
what does it show for the PCAdmins group? You should see something like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users
in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Otto
Guest
|
| Posted: Wed Nov 19, 2008 7:05 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How can I
keep this ability?
- O
"Jorge Silva" wrote:
| Quote: | Hi
pwdLastSet makes sence because you WANT to have the ability to select the
option to force the user to change the password in the next logon. You don't
want that Admins keep the users password. Of course you can tell the user to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You need for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com> wrote in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has
the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default.
The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you setup
the
appropriate permission to meet your goal. If you run the DSACLs command,
what does it show for the PCAdmins group? You should see something like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators" group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for users
in
selected OU's, but not all. Security settings appear the same on all
OU's, but these admins all receive the message "Access Denied" when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Thu Nov 20, 2008 3:18 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
For DCs within the same site the changes fast. Between sites, depends of
your replication configuration.
You can force replication to make the changes immediately to all DCs. You
can use ADSS or repadmin.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:30CAF347-709A-4B6A-A68E-6337CA672797@microsoft.com...
| Quote: | Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How can I
keep this ability?
- O
"Jorge Silva" wrote:
Hi
pwdLastSet makes sence because you WANT to have the ability to select the
option to force the user to change the password in the next logon. You
don't
want that Admins keep the users password. Of course you can tell the user
to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You need
for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and
assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com> wrote
in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has
the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default.
The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you
setup
the
appropriate permission to meet your goal. If you run the DSACLs
command,
what does it show for the PCAdmins group? You should see something
like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for
all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators"
group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for
users
in
selected OU's, but not all. Security settings appear the same on
all
OU's, but these admins all receive the message "Access Denied"
when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and
all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Otto
Guest
|
| Posted: Tue Nov 25, 2008 1:55 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Well my replication worked fine. All changes replicated out. I removed the
PCAdmins from the "Print Operators" group, but still no luck. PCAdmins still
cannot change user passwords in selected sub-OU's.
- O
"Jorge Silva" wrote:
| Quote: | For DCs within the same site the changes fast. Between sites, depends of
your replication configuration.
You can force replication to make the changes immediately to all DCs. You
can use ADSS or repadmin.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:30CAF347-709A-4B6A-A68E-6337CA672797@microsoft.com...
Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How can I
keep this ability?
- O
"Jorge Silva" wrote:
Hi
pwdLastSet makes sence because you WANT to have the ability to select the
option to force the user to change the password in the next logon. You
don't
want that Admins keep the users password. Of course you can tell the user
to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You need
for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and
assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com> wrote
in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group has
the
permissions to create/delete InetOrgPerson objects, computer objects,
group objects, and user objects on every OU in the domain by default.
The
goal is to reset passwords for users in selected OU's, but not all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you
setup
the
appropriate permission to meet your goal. If you run the DSACLs
command,
what does it show for the PCAdmins group? You should see something
like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets for
all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators"
group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for
users
in
selected OU's, but not all. Security settings appear the same on
all
OU's, but these admins all receive the message "Access Denied"
when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and
all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Tue Nov 25, 2008 2:49 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
Either is something wrong with delegation or replication is failling, any
errors in eventlog? also type from cmd:
repadmin /replsum * /bysrc /bydest /sort:delta
check erros.
Are you working with local groups in member servers or DCs?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:B885686C-DE87-45DE-B9D9-4C41019AC79B@microsoft.com...
| Quote: | Well my replication worked fine. All changes replicated out. I removed
the
PCAdmins from the "Print Operators" group, but still no luck. PCAdmins
still
cannot change user passwords in selected sub-OU's.
- O
"Jorge Silva" wrote:
For DCs within the same site the changes fast. Between sites, depends of
your replication configuration.
You can force replication to make the changes immediately to all DCs. You
can use ADSS or repadmin.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:30CAF347-709A-4B6A-A68E-6337CA672797@microsoft.com...
Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How can
I
keep this ability?
- O
"Jorge Silva" wrote:
Hi
pwdLastSet makes sence because you WANT to have the ability to select
the
option to force the user to change the password in the next logon. You
don't
want that Admins keep the users password. Of course you can tell the
user
to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You
need
for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and
assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com
wrote
in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group
has
the
permissions to create/delete InetOrgPerson objects, computer
objects,
group objects, and user objects on every OU in the domain by
default.
The
goal is to reset passwords for users in selected OU's, but not
all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you
setup
the
appropriate permission to meet your goal. If you run the DSACLs
command,
what does it show for the PCAdmins group? You should see something
like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets
for
all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited
from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators"
group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for
users
in
selected OU's, but not all. Security settings appear the same
on
all
OU's, but these admins all receive the message "Access Denied"
when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object
and
all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com,
This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Otto
Guest
|
| Posted: Tue Nov 25, 2008 4:38 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
The Replication summary came back with no errors. The only error I find in
the Event Viewer is an "MRxSmb"-Event ID "8003", Master Browser error.
Also, If I check the Security properties of an actual user account, I don't
see PCAdmins in their at all, but I do see the following:
Type="Everyone", Name="Everyone", Permission="Change Password", not
inhertied, this object only.
- O
"Jorge Silva" wrote:
| Quote: | Either is something wrong with delegation or replication is failling, any
errors in eventlog? also type from cmd:
repadmin /replsum * /bysrc /bydest /sort:delta
check erros.
Are you working with local groups in member servers or DCs?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:B885686C-DE87-45DE-B9D9-4C41019AC79B@microsoft.com...
Well my replication worked fine. All changes replicated out. I removed
the
PCAdmins from the "Print Operators" group, but still no luck. PCAdmins
still
cannot change user passwords in selected sub-OU's.
- O
"Jorge Silva" wrote:
For DCs within the same site the changes fast. Between sites, depends of
your replication configuration.
You can force replication to make the changes immediately to all DCs. You
can use ADSS or repadmin.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:30CAF347-709A-4B6A-A68E-6337CA672797@microsoft.com...
Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How can
I
keep this ability?
- O
"Jorge Silva" wrote:
Hi
pwdLastSet makes sence because you WANT to have the ability to select
the
option to force the user to change the password in the next logon. You
don't
want that Admins keep the users password. Of course you can tell the
user
to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You
need
for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and
assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com
wrote
in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This group
has
the
permissions to create/delete InetOrgPerson objects, computer
objects,
group objects, and user objects on every OU in the domain by
default.
The
goal is to reset passwords for users in selected OU's, but not
all.
You are headed in the right direction Otto. Your "PCAdmins, Reset
Password, <not inherited>, User Objects" line indicates that you
setup
the
appropriate permission to meet your goal. If you run the DSACLs
command,
what does it show for the PCAdmins group? You should see something
like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password resets
for
all
users or a subset of users? If it is the latter, check whether the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not inherited
from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account operators"
group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords for
users
in
selected OU's, but not all. Security settings appear the same
on
all
OU's, but these admins all receive the message "Access Denied"
when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object
and
all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com,
This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Tue Nov 25, 2008 9:08 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
I was missing one post. Sounds that the PCAdmins was successfully removed
from the "Print Operators" security group correct?
Now, the issue that you've is regarding to password delegation, right?
Assuming yes, review the steps at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:226A0923-CDE3-4EAA-8E9C-DFA9DB222349@microsoft.com...
| Quote: | The Replication summary came back with no errors. The only error I find
in
the Event Viewer is an "MRxSmb"-Event ID "8003", Master Browser error.
Also, If I check the Security properties of an actual user account, I
don't
see PCAdmins in their at all, but I do see the following:
Type="Everyone", Name="Everyone", Permission="Change Password", not
inhertied, this object only.
- O
"Jorge Silva" wrote:
Either is something wrong with delegation or replication is failling, any
errors in eventlog? also type from cmd:
repadmin /replsum * /bysrc /bydest /sort:delta
check erros.
Are you working with local groups in member servers or DCs?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:B885686C-DE87-45DE-B9D9-4C41019AC79B@microsoft.com...
Well my replication worked fine. All changes replicated out. I
removed
the
PCAdmins from the "Print Operators" group, but still no luck. PCAdmins
still
cannot change user passwords in selected sub-OU's.
- O
"Jorge Silva" wrote:
For DCs within the same site the changes fast. Between sites, depends
of
your replication configuration.
You can force replication to make the changes immediately to all DCs.
You
can use ADSS or repadmin.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:30CAF347-709A-4B6A-A68E-6337CA672797@microsoft.com...
Thanks for everyone's replies.
the PCAdmins group is a member of the following two groups:
- DHCP Users
- Print Operators
Is this my problem? If I remove them from these groups, how long
with
replication take to my other DC's?
Also, I need these users to be able to View DHCP information. How
can
I
keep this ability?
- O
"Jorge Silva" wrote:
Hi
pwdLastSet makes sence because you WANT to have the ability to
select
the
option to force the user to change the password in the next logon.
You
don't
want that Admins keep the users password. Of course you can tell
the
user
to
change it by it self, but there are many companies that have this
procedure - After resetting a PW, force the user to change it. You
need
for
that Read and Write permissions in pwdLastSet attribute.
For that check:
http://support.microsoft.com/kb/296999
Don't use existing AD groups to do that, create your own Groups and
assign
the necessary permissions to do their job. check the haow at:
RESET USER PASSWORDS
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"JPolicelli [MVP-DS]" <JPolicelliMVPDS@discussions.microsoft.com
wrote
in
message news:%23H0dHoZSJHA.1148@TK2MSFTNGP05.phx.gbl...
I typically do not. What is it that you want them to do with this
attribute?
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers
no
rights!
http://johnpolicelli.wordpress.com/
----
"Mark Z." <MarkZ@discussions.microsoft.com> wrote in message
news:C5249BEC-756C-4EB9-84EA-EBA5340B73A1@microsoft.com...
Did you also delegate them permission to the pwdLastSet
attribute?
"JPolicelli [MVP-DS]" wrote:
The Account Operators group is the wrong group to use. This
group
has
the
permissions to create/delete InetOrgPerson objects, computer
objects,
group objects, and user objects on every OU in the domain by
default.
The
goal is to reset passwords for users in selected OU's, but not
all.
You are headed in the right direction Otto. Your "PCAdmins,
Reset
Password, <not inherited>, User Objects" line indicates that
you
setup
the
appropriate permission to meet your goal. If you run the DSACLs
command,
what does it show for the PCAdmins group? You should see
something
like
this for the permission in question:
Inherited to user
Allow DOMAINNAME\PCAdmins Reset Password
Another question...is this problem applicable to password
resets
for
all
users or a subset of users? If it is the latter, check whether
the
applicable user(s) is/are a member of a protected group:
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
If they are, then permissions on these objects are not
inherited
from
the
Domain ACL or OU ACLs. You need to delegate permissions on the
AdminSDHolder object.
--
JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers
no
rights!
http://johnpolicelli.wordpress.com/
----
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66e2168cb171bbe074530@msnews.microsoft.com...
Hello Otto,
Are the not working accounts members of the "Account
operators"
group?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
I have a group of admins that are able to reset passwords
for
users
in
selected OU's, but not all. Security settings appear the
same
on
all
OU's, but these admins all receive the message "Access
Denied"
when
trying to reset passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User
Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object
and
all
child
objects
- PCAdmins, Create/Delete Computer Objects,
DC=domain,DC=Com,
This
object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
Jorge de Almeida Pinto [M
Guest
|
| Posted: Fri Nov 28, 2008 11:55 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
I'm reading this as users do not have the right to reset passwords for
certain objects while they do other objects in the same container.
Have a look at the adminsdholder object (google it)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:7908D59B-DB1E-477D-A3E1-7E38022A764D@microsoft.com...
| Quote: | I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's,
but these admins all receive the message "Access Denied" when trying to
reset
passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This object
and all child objects
Thank you. |
|
|
| Back to top |
|
|
JPolicelli [MVP-DS]
Guest
|
| Posted: Thu Dec 04, 2008 7:56 pm Post subject: Re: Delegate Control... Reset Passwords |
|
|
You may find this useful Otto: http://policelli.com/blog/?p=136.
--
JPolicelli, MVP - Directory Services
http://www.policelli.com
http://policelli.com/blog
This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.
----
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:OW2fI1bUJHA.1164@TK2MSFTNGP02.phx.gbl...
| Quote: | I'm reading this as users do not have the right to reset passwords for
certain objects while they do other objects in the same container.
Have a look at the adminsdholder object (google it)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Otto" <Otto@discussions.microsoft.com> wrote in message
news:7908D59B-DB1E-477D-A3E1-7E38022A764D@microsoft.com...
I have a group of admins that are able to reset passwords for users in
selected OU's, but not all. Security settings appear the same on all
OU's,
but these admins all receive the message "Access Denied" when trying to
reset
passords. Here is my configuration:
ADUC = <domain.com>\Admins
Security Group - "PCAdmins"; 7 members
OU Structure:
domain.com>\Community\Name1\Computers
domain.com>\Community\Name1\Users
domain.com>\Community\Name2\Computers
domain.com>\Community\Name2\Users
etc...
Security placed on "Users" OU as follows:
- PCAdmins, Read/Write Property, <not inherited>, User Objects
- PCAdmins, Reset Password, <not inherited>, User Objects
- PCAdmins, Read, OU=Community,DC=domain,DC=Com, This object and all
child
objects
- PCAdmins, Create/Delete Computer Objects, DC=domain,DC=Com, This object
and all child objects
Thank you.
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Topic Links: syslog
Powered by phpBB © 2001, 2005 phpBB Group
|
Windows-Expert.com Forum Index
•
FAQ
•
Search
