Delegated Authority

[Simon Young]

Can anybody help me please?

Im trying to create a custom mmc so I can delegate the reset password option
on a specific OU to a specific group of users. It all works fine, I create a
new mmc, add the snap in and path to the desired OU and chose new window.
Then when saving I select the right user mode so they cant move out from the
offered container.

I then click on Delegate control, this brings up the wizard and I add the
group, then select the permission (I.e. reset password) and save the mmc in
a central share that the delegated authorities can see and have full control
over

The problem is, when I try to open the mmc, I get a 'snap in failed to
initialize... Name <Unknown>' warning so they cant open it (nor can I if I
log on to that machine so I don't think its a user permission issue),
however, if I open it on the machine I created it on (my machine) but logged
in as the delegated user, it works fine, although when I right click on a
user, I can also add them to groups etc, does this sound right or am I doing
it wrong?

So will I need to install Adminpac.msi onto the machines that I want to
reset passwords, and is there a setting that will restrict that user to only
resetting passwords?

Many thanks in advance

Simon

 

[Herb Martin]

Can anybody help me please?

Im trying to create a custom mmc so I can delegate the reset password
option on a specific OU to a specific group of users. It all works fine, I
create a new mmc, add the snap in and path to the desired OU and chose new
window. Then when saving I select the right user mode so they cant move
out from the offered container.

I then click on Delegate control, this brings up the wizard and I add the
group, then select the permission (I.e. reset password) and save the mmc
in a central share that the delegated authorities can see and have full
control over

The problem is, when I try to open the mmc, I get a 'snap in failed to
initialize... Name <Unknown>' warning so they cant open it (nor can I if I
log on to that machine so I don't think its a user permission issue),
however, if I open it on the machine I created it on (my machine) but
logged in as the delegated user, it works fine, although when I right
click on a user, I can also add them to groups etc, does this sound right
or am I doing it wrong?

Most probably you are trying (and failing) on a machine which
doesn't have the required DLLs.

So will I need to install Adminpac.msi onto the machines that I want to
reset passwords, and is there a setting that will restrict that user to
only resetting passwords?

Yes, AdminPak.msi is the way to get the tools on the individual
machines.

They will only be able to do those functions you have delegated.

You can also make sure they don't have permissions to even run
the "other tools" on their machine by making sure they are not
"admins" of their own machines, or by carefully setting permissions.

Perhaps even using a "software restriction policy" will benefit
you.

 

[Jorge de Almeida Pinto]

For more information on delegating tasks see:
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
and
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


For more info on Taskpad views and tasks:
http://www.microsoft.com/technet/pr...elp/3d0c783c-7789-4400-953b-d22a501ae535.mspx
http://www.winsupersite.com/showcase/win2k_taskpad.asp
http://www.petri.co.il/create_taskpads_for_ad_operations.htm


################################
RESET USER PASSWORDS
---------------------------------
To reset user passwords you need the “Reset Password” extended right on the
user object. This is also available through the delegation of control wizard
using the common delegated task “Reset a user account’s password”

If you want to reset user passwords and force password change at next logon
you need the “Reset Password” extended right on the user object and you need
Read/Write permissions on the attribute “pwdLastSet”. This is also available
through the delegation of control wizard using the common delegated task
“Reset user passwords and force password change at next logon”

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------

Can anybody help me please?

Im trying to create a custom mmc so I can delegate the reset password
option on a specific OU to a specific group of users. It all works fine,
I create a new mmc, add the snap in and path to the desired OU and chose
new window. Then when saving I select the right user mode so they cant
move out from the offered container.

I then click on Delegate control, this brings up the wizard and I add the
group, then select the permission (I.e. reset password) and save the mmc
in a central share that the delegated authorities can see and have full
control over

The problem is, when I try to open the mmc, I get a 'snap in failed to
initialize... Name <Unknown>' warning so they cant open it (nor can I if
I log on to that machine so I don't think its a user permission issue),
however, if I open it on the machine I created it on (my machine) but
logged in as the delegated user, it works fine, although when I right
click on a user, I can also add them to groups etc, does this sound right
or am I doing it wrong?

Most probably you are trying (and failing) on a machine which
doesn't have the required DLLs.

So will I need to install Adminpac.msi onto the machines that I want to
reset passwords, and is there a setting that will restrict that user to
only resetting passwords?

Yes, AdminPak.msi is the way to get the tools on the individual
machines.

They will only be able to do those functions you have delegated.

You can also make sure they don't have permissions to even run
the "other tools" on their machine by making sure they are not
"admins" of their own machines, or by carefully setting permissions.

Perhaps even using a "software restriction policy" will benefit
you.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Many thanks in advance

Simon