Limiting Access Rights to AD from Windows 2000 Professional

[Michael]

Windows 2000 AD tree

Want to give HELP DESK staff access to AD to change user
passwords from their Windows 2000 Professional. I am able
to setup the Active Directory MMC console on the W2K
Professional. But can't seem to limit their access to
only the users' folder and to change passwords only.

Please advice.

TIA

 

[Chriss3 [MVP]]

Use the Delegation of Control wizard.

You need to delegate reset password ability for the container where the
users exist in.

You can't hide what they shouldn't see, by default users have read rights on
the directory unless its set into List Object Content Mode.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Guest]

I've done the DELEGATION WIZARD. I given the user access
to review user information and change password. But when
the user access her MMC console she can make changes to
the user account information. Am I missing something.
Can she have more rights flowing downwards that is
overwriting the rights on a particular OU?

Could the problem be that the user's rights is not applied
when accessing the AD from Windows 2000 Professional
instead of the server?

 

[Chriss3 [MVP]]

Each user can change some fields at there own account by default, its an
entry in the ACL defined to the dynamical object self. You may should select
to do a customize delegation within the wizard.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup