OU Permissions

[Steve]

I currently have permission to change users' passwords,
but when I check the box "User must change password at
next logon" I get access is denied.

Any ideas? I don't have access to the OU that I'm to
look at the properties or permissions, but they guy who
is over that area claims he worked on it for two weeks
and couldn't figure it out.

We can add pc's to a domain, but can't delete, we can
change passwords, but can't force the user to change at
the next logon, we can't create user accounts.

Any ideas would be greatly appreciated

 

[Ace Fekay [MVP]]

In

I currently have permission to change users' passwords,
but when I check the box "User must change password at
next logon" I get access is denied.

Any ideas? I don't have access to the OU that I'm to
look at the properties or permissions, but they guy who
is over that area claims he worked on it for two weeks
and couldn't figure it out.

We can add pc's to a domain, but can't delete, we can
change passwords, but can't force the user to change at
the next logon, we can't create user accounts.

Any ideas would be greatly appreciated

The permissions to change passwords is just that, change the passwords. That
permission does not give you the permissions to change user property
settings or even to create user accounts.

Any user account can add up to 20 machines to a domain by default. That is a
default setting and can be changed thru ADSI Edit, DomainNC properties,
DsMachineAccountQuote (I think that's what it was). Default is 20. Can be
changed to whatever the admin desires it to be.

If you look in the properties of the OU, Security tab, advanced, then go to
view/edit, then ion the upper drop down box, select User Objects, you can
see the granularized permissions in the bottom. There are about 15 of them
(forget the count). You would need to select one of them that gives you the
permissions to change user account attributes (forget which one it is
without a machine in front of me).

So, you would have to contact the admin that delegated your permissions to
the OU to give you additional permissions to change user attributes and
create users, etc.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Steve]

That was the whole reason they changed everything from
how it used to be, they don't want us creating users.

oh well, thanks for the help.

 

[Ace Fekay [MVP]]

In

That was the whole reason they changed everything from
how it used to be, they don't want us creating users.

oh well, thanks for the help.

Sorry about that...

Maybe you can ask if you can modify user attributes but not create users. I
don't have a machine in front of me to check, but I do remember that
"Modify" is a separate permission...

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Joe Richards [MVP]]

To give you the ability to set "user must change password" they need to delegate to you the ability to update
pwdlastset - i.e. WP;pwdlastset

 

[Matt]

Steve, you need to check out some provisioning products. Microsoft
MIIS may be able to handle it, there's others out there too. These
products will let you request an account creation but have someone
else approve it, and you can monitor when they approved it, how long
it took, etc. See http://www.idmtoday.com for some products and
reviews.