Password Change Help

R

Ryan Hanisco

I have a large and complex environment with several domains in the forest.
After bringing a dc online that was down for a few weeks, users that have
been given the account operator privileges are no longer able to change
passwords for users.

Full administrators are able to do this, but the end users are getting an
Access Denied message.

They are able to contact the correct PDCe and NSLOOKUP gives them the
correct addresses for GCs and domains.

Suggestions?
 
R

Ryan Hanisco

All,

Actually what is happening is that existing accounts cannot be managed.
These helpdesk users can create new accounts, change their passwords, and
delete the accounts.

So... what gives?
 
G

Guest

What's your environment (DC running 2000 or 2003, SP level)? Did you delegate
permissions using Delegation Control wizard?

smo
 
R

Ryan Hanisco

The primary DCs are 2000 SP4 but the one we brought up again is 2003 gold.
The accounts are members of Account Operators... not a delegated scope of
management.

The Account Operators can manage 80% of the objects but some are read only
and they get the Access Denied Error.

This is not an error with versioning. This is something to do with domain
convergence in either the AD or DNS. I am trying to nail it down to What
and Why.
 
R

Ryan Hanisco

Smo,

This is not really applicable, but I appreciate the effort.

Thanks so much.
 
B

BCE

How many "weeks" was that dc offline, there is a time limit where you can
cause problems bringing back a dc after so many days!
 
R

Ryan Hanisco

It is not past the tombstone date. I label servers with the down date
when I take them offline.. Besides, then you get tombstone errors in the
event logs. I am seeing none of that.
 
P

ptwilliams

Hey Ryan,

Have permissions be changed? It sounds like the existing accounts are no
longer inheriting permissions.

Or (worse), have these people been added to protected groups?!?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Single domain controller failing 4
DNS-Urgent-Help -Please 2
Problem with Global catalog 5
Change Field Replication Priority 1
Permission Problem 2
Escalate privileges possible on DC? 3
Want to change passwords in batch but not use an administrator 3
CloudPets stuffed toys leak details of half a million users 1

Top