Password Reset and Unlock unable to disable..

[Guest]

I'm an access administrator for a company to maintain users account in AD. I
had created a user account for helpdesk to have a view only on AD but the
problem is that the password reset option and account unlock is still
available when the helpdesk search for a user and look at the details. What
went wrong here?? Is there any security permission i missed out in the
built-in group or any group ?? and I have don;t have the full administration
access to modify certain group or security permission but I able to view it .
If you could help me to pinpoint which part of AD to look at then I could
raise up an issue to the server administrator.. Thank you

 

[Jorge de Almeida Pinto]

or that account is configure to have those permission on those objects or it
is member of some group that has that permission

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Joe Richards [MVP]]

If you mean password reset is still in the right click options, you are correct,
that is displayed for everyone, it isn't based on actual permissions on the objects.

 

[Guest]

yes, the right option is still there but eventually its still able to perform
the password reset and even unlock the account although the view for them is
all deem. Even under the Account tab the option user must change the password
for the next logon is not deem . We done a test already.. please advise . tq

 

[Joe Richards [MVP]]

Even though the pick is there, if the delegation is done correctly they will not
be able to do a reset or unlock. You should probably dump the ACL for a user
with dsacls and post it.