Permission to reset, unlock user, etc...

KC · Apr 2, 2005

I would like to give certain low level admin permissions to a couple of
people. Access to reset passwords, unlock an account, etc. What permission
and where should I do this at? I only have a single domain. Thank you.

Herb Martin · Apr 2, 2005

KC said:
I would like to give certain low level admin permissions to a couple of
people. Access to reset passwords, unlock an account, etc. What permission
and where should I do this at? I only have a single domain. Thank you.

The specific things you mention are easy to do in
AD Users/Computers by using the Delegation of
Control Wizard (right-click on an object, probably
an OU, and it's the top entry.)

Guest · Apr 2, 2005

Herb Martin said:
The specific things you mention are easy to do in
AD Users/Computers by using the Delegation of
Control Wizard (right-click on an object, probably
an OU, and it's the top entry.)

Well what Martin says is pretty true..

Just start AD users and computers with Domain Admin account ( or any other
account which has authority to delegate control) then Right click on the OU (
on which you want to delegate control), and then see the options, they are
pretty straight forward...

but if you want to give the permission of ENABLE/DISABLE account, then you
need to dig into a lil further.. you need to go into CUSTOM TASK permissons
and then select USER OBJECT (from only these specific object) and then
select WRITE USERACCOUNTCONTROL.... this will give the permission to ENBALE
or DISABLE..

Cheers,.

ptwilliams · Apr 2, 2005

Yes, the delegation of control wizard only has so many uses. However for
simple tasks it is fine. It's also a good place to start. After that
though, the only way to do this is through manually setting the atomic
permissions required on the object.

Search Microsoft's website for the delegation whitepaper. There are two
documents -the whitepaper and the appendixes. The appendixes, although
incorrect in some examples, are very helpful.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Brandon McCombs · Apr 2, 2005

Herb said:
The specific things you mention are easy to do in
AD Users/Computers by using the Delegation of
Control Wizard (right-click on an object, probably
an OU, and it's the top entry.)

Make sure you click on View in ADUC and check Advanced Features so that when
you right click on OUs and choose Properties you can view the Security ACLs on
the objects which are just like ACLs on files and directories. The delegation
wizard let's you add items but only by turning on the Security tab can you
edit/remove users/groups that you have added through the delegation wizard.

Kevin D. Goodknecht Sr. [MVP] · Apr 4, 2005

In

KC said:
I would like to give certain low level admin permissions
to a couple of people. Access to reset passwords, unlock
an account, etc. What permission and where should I do
this at? I only have a single domain. Thank you.

An Account operator should do just fine for this. Account operators can
administer domain user and group accounts

Unlock acct permissions	13	Feb 17, 2005
Password Reset and Unlock by Help Desk	13	Apr 15, 2005
Password Reset and Unlock unable to disable..	4	Jan 5, 2006
What permission is required to unlock user account	2	Feb 1, 2005
AD Permissions	2	Jan 6, 2004
Permission Problem	2	Jun 2, 2005
unlock computer permission	1	Mar 1, 2007
denied access to unlock user account	5	Feb 5, 2004

Permission to reset, unlock user, etc...

KC

Herb Martin

Guest

ptwilliams

Brandon McCombs

Kevin D. Goodknecht Sr. [MVP]

Ask a Question

Similar Threads