G
Guest
Hi guys,
At the moment our dept is trying to delegate some of our user tasks to 1st
line support to free a bit more of our time up! We want 1st line to be able
to:
1) Reset user passwords
2) Unlock user accounts
3) Enable disabled users
I've written a pretty much foolproof VB script (if there is such a thing) to
allow them to do that (didn't want to give them AD U&C as they would be
tempted to look around).
I've been testing this script under my account on our test domain (domain
admin) and everything was working spot on. I created a test user with the
same privileges as a 1st line support person and tried to test it under
there. Originally I got "Access Denied" errors when I tried to reset a
password so I did the following...
Created a new group "User support" and gave it the following permissions on
the highest OU I wanted them to have control over in the advanced permissions
menu...
1) Object tab
.....Apply onto: User Objects Only
....."Reset Password" - "Allow"
2) Properties tab
.....Apply onto: User Objects Only
....."lockout time" - "Read"
....."lockout time" - "Write"
....."pwdLastSet" - "Read"
....."pwdLastSet" - "Write"
When I log on as the account now and try to change a users password through
AD U&C it works fine, but if I try it from the script I get a "General Access
Denied" error message.
Can anyone tell me if I've missed a permission off from somewhere, or does
anyone have any links that would help describe what each of these permissions
are?
Any help is much appreciated.
At the moment our dept is trying to delegate some of our user tasks to 1st
line support to free a bit more of our time up! We want 1st line to be able
to:
1) Reset user passwords
2) Unlock user accounts
3) Enable disabled users
I've written a pretty much foolproof VB script (if there is such a thing) to
allow them to do that (didn't want to give them AD U&C as they would be
tempted to look around).
I've been testing this script under my account on our test domain (domain
admin) and everything was working spot on. I created a test user with the
same privileges as a 1st line support person and tried to test it under
there. Originally I got "Access Denied" errors when I tried to reset a
password so I did the following...
Created a new group "User support" and gave it the following permissions on
the highest OU I wanted them to have control over in the advanced permissions
menu...
1) Object tab
.....Apply onto: User Objects Only
....."Reset Password" - "Allow"
2) Properties tab
.....Apply onto: User Objects Only
....."lockout time" - "Read"
....."lockout time" - "Write"
....."pwdLastSet" - "Read"
....."pwdLastSet" - "Write"
When I log on as the account now and try to change a users password through
AD U&C it works fine, but if I try it from the script I get a "General Access
Denied" error message.
Can anyone tell me if I've missed a permission off from somewhere, or does
anyone have any links that would help describe what each of these permissions
are?
Any help is much appreciated.