AD Delegation question

H

HC

Hi,

I recently tried to delegate a 'domain user' to unlock
account and reset password of another account which
has the builtin 'Administrator' membership. I did not
use the delegation wizard but instead, I configured the
read/write lockout time & reset password properties
in the Security tab.
Within an hour after replication had taken place I realised
that the delegation properties I had configured earlier
disappeared.
I tried this a few more times but success was to no avail.

I have a hunch that AD does not allow a standard domain
user to be delegated to unlock or reset accounts which
have the Administrator membership as this would defeat
the purpose of security within Windows 2000.

Has anyone tried this?? Can someone please prove that
this is the case.

Thanks in advance.
HC
 
M

Matjaz Ladava [MVP]

You are correct. You can not change security settings of users that are part
of Administrators group. This is done by AdminSDHolder process, which runs
on a PDC op. master and resets security settings on user accounts with
special privileges. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180 for full
explanation.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
G

Guest

Thanks Matjaz. It sure clears things up a little. Is there a workaround that you know of?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Delegation 2
AD Delegation 7
Delegation in AD not working 5
Delegation 1
Delegation Rights ? 1
Delegation of Control 1
Task Delegation 2
Delegation issues 3

Top