Password Reset and Unlock by Help Desk

[MikeD]

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[neo [mvp outlook]]

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

 

[Herb Martin]

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[~Jeffrey Smith]

Wow, where is the good source of info on this Neo? What is your main source
for the available options and how to modify whitepaper?

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify
the delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user
the permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[neo [mvp outlook]]

Knowing my luck, OE will wrap the links, but I lean quite heavily on the
appendices document.

http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

/neo

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[neo [mvp outlook]]

Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[Todd J Heron]

Herb,

I believe here.

Appendices:
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

 

[Steve Foster [SBS MVP]]

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

If Neo's options (which look really cool, btw) are too much for you (or
you need a little more than just the 3 you mentioned), there is a
predefined group called "Account Operators" that has those privileges.
It's there so that most user account operations can be quickly handed off
to a separate person, without having to give them full administrative
privileges.

 

[Herb Martin]

Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.

Why was the 'silly' -- It doesn't seem to be your fault?

Also, the second document isn't available (right now)
-- and this is NOT due to your link, the summary page
appears but there is a web site database error on the
actual document download.

Could (one of you) send me the appendix?

 

[neo [mvp outlook]]

because i'm typing the response to a question in the sbs group and well, sbs
is the do all collection of dc/gc/dns/exchange/.etc.

sure... want me to use the "news" address or did you have something else in
mind?

 

[Herb Martin]

because i'm typing the response to a question in the sbs group and well, sbs
is the do all collection of dc/gc/dns/exchange/.etc.

sure... want me to use the "news" address or did you have something else in
mind?

News is fine -- But I forgot to mentoin that .DOCs are blocked.

Please rename to anything like ._doc or zip it.

Thanks so much.

 

[neo [mvp outlook]]

on its way to you. (zipped it and it was just under 500KB)

 

[Herb Martin]

I really appreciate the (extra) trouble.

Thank you.

 

[Joe Richards [MVP]]

Account Op in my opinion should not be used, it is far more powerful than
normally needed unless you have a very small shop and want to give out wide
ranging rights. Other than modifying groups and users acc ops have native rights
such as logging onto DCs and other items. If someone simply wants to delegate
password reset and unlock or even create, it is much smarter to do it in a far
more focused way with delegated permissions and can easily be done through
command line using dsacls.

joe