Account Operators

[Guest]

Members of Account Operators Group Cannot Manage All User accounts. We are
using Windows 2003. The accounts that we are trying to manager are not
members of restricted groups such as Print Opertors, SErver Operators, Domian
Admin etc.. The event that is generated in the Event log is event ID 628. I
cannot see to resolve this issue. It only for a few users.

Any suggestions?

 

[S.J.Haribabu]

Hi,

When an administrator resets some other user’s password such as in the case
of forgotten password support calls, Windows Server 2003 logs event ID 628.

You can use the command that shows to track such password resets.

Command to Extract Reset Passwords
logparser "SELECT
RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,2,'|'),'{}%','')) AS
PasswordResetOn, RESOLVE_SID(SID) AS ResetBy, TimeGenerated FROM security
WHERE
EventID = 628"

This command produces the report that shows below.

PasswordResetOn ResetBy TimeGenerated
-------------------------------------------------------------------
STO\fred STO\ADMINISTRATOR 7/12/2004 12:16:22

Report listing password resets.

Thanks,

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[ptwilliams]

Please give some extra details. What do you mean by "...cannot manage all
user accounts"?

628 is password reset:
--
http://www.eventid.net/display.asp?eventid=628&eventno=213&source=Security&phase=1


Are you getting a different error/ warning?


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Members of Account Operators Group Cannot Manage All User accounts. We are
using Windows 2003. The accounts that we are trying to manager are not
members of restricted groups such as Print Opertors, SErver Operators,
Domian
Admin etc.. The event that is generated in the Event log is event ID 628.
I
cannot see to resolve this issue. It only for a few users.

Any suggestions?

 

[Guest]

Let me clarify.

A member of the Account Operator's group cannot manage 10 user accounts in
the domain. Using the AD User and Computer utility, the account operator
selects a user and clicks on properties. When the user's properties page
appears, no changes can be made. This only occurs for 10 users. I don't
know why. When I look at Event Viewer, the Event ID 628 is recorded as a
failure and the reason is Access Denied.

These 10 user's have nothing in common. They belong to different global
groups. None of them are member's of restricted groups such as
Administrators, Print Operators, Server Operators etc..

The network Administrator can manage the 10 users.

Any ideas?

 

[Laura A. Robinson]

circa Wed, 1 Dec 2004 06:49:03 -0800, in
microsoft.public.win2000.active_directory, =?Utf-8?B?SkQ=?=
([email protected]) said,

Let me clarify.

A member of the Account Operator's group cannot manage 10 user accounts in
the domain. Using the AD User and Computer utility, the account operator
selects a user and clicks on properties. When the user's properties page
appears, no changes can be made. This only occurs for 10 users. I don't
know why. When I look at Event Viewer, the Event ID 628 is recorded as a
failure and the reason is Access Denied.

These 10 user's have nothing in common. They belong to different global
groups. None of them are member's of restricted groups such as
Administrators, Print Operators, Server Operators etc..

The network Administrator can manage the 10 users.

Any ideas?

What are the ACLs on the user accounts in question?

Laura

 

[Guest]

Hi Laura...

Where would I check the ACLs for the user? I can't seem to find this using
the AD User and Computer Utility.

JD

 

[Andrei Ungureanu]

in AD Users&Computers go to View and select Advanced Features. After that
select the user account an go to Properties and you'll see Security tab.

 

[Guest]

Excellent!!! Issue resolved. Account Operators did not have the correct
permissions. Thank you !!!

 

[Laura A. Robinson]

circa Mon, 6 Dec 2004 12:49:04 -0800, in
microsoft.public.win2000.active_directory, =?Utf-8?B?SkQ=?=
([email protected]) said,

Excellent!!! Issue resolved. Account Operators did not have the correct
permissions. Thank you !!!

Fantastic! Glad you got it all worked out.

Laura