Unlock acct permissions

[Guest]

What permissions are necessary for a user to be able to unlock an account or
reset a password. I have an MMC created for user to reset passwords (will
this fix an account lockout?) in an OU. I have the user added to a admin
group I created for the OU. I continued to get access denised when try to
reset password. What permissions are necessary and where to access them as
the enterprose admin. Does password reset unlock an account or is that
seperate permissions? Thanks

 

[Laura E. Hunter \(MVP\)]

How to grant help desk personnel the specific right to unlock user accounts:
http://support.microsoft.com/?kbid=279723

 

[Guest]

Thanks I applied both methods on article 279723 plus article 294952 and still
no access. The correct permissions are on the security group, the user I
added to the security group still cannot do anything with account unlock or
password reset. Where can I see the effective permissions of the user since
they are a memeber of this security group? The securty group is a memeber of
the built-in Account operators as well. Is there default deny on regular
users accounts that is blocking this? Any help in what this could be would
be appreciated. Thanks

 

[Joe Richards [MVP]]

By any chance is the account they are trying to work on another enhanced user
account, say an account op or something? If so, look into adminSDHolder posts.
If not, look at the ACL with DSACLS and verify the delegation occurred as
expected and if it is correct (should be WP on lockoutTime) then have the admin
log off and log on and try again.

joe

 

[Guest]

I don't know what an enhanced accouint is. I'm just trying to give a user
account unlock permission for an OU by making them a member of a security
group in that OU with permission to unloack accounts. How to do the rest of
what your writing about I have no idea how to accomplish. How do I verify
delgation? How do I get DSACLS to run on a specific account? I guess it is
not possbile to make a sub-administrator, nothing I have done or been told
has made any difference. The permissions in the security do not seem to
apply to it's members. Every one will have to full admins unless I can make
this Windows permissions work as desired.

 

[Joe Richards [MVP]]

This stuff works as designed, trust me, I have built an enterprise class
directory (>250,000 users) and worked on several other enterprise class
directories (>100k).

dsacls is a tool in the support tools. If you have them installed you should
simply be able to type

dsacls DN_OF_OBJECT

and it will show you the actual ACL on an AD Object.


If you want to quickly check if the adminSDHolder functionality is causing
issues, go grab adfind from my website and run the following command

adfind -default -f samaccountname=userid admincount

If there is a value returned and it isn't 0, that means you are being impacted
by adminSDHolder and you should search google for that term.

Overall you appear to be a very "green" admin and you should buy one or more
books and learn this stuff before you do too much more. You need to get a handle
on the basic concepts and thoughts before you hurt yourself by giving too many
rights in the forest to others.

joe

 

[Guest]

You know Joe I have many Windows books and have read them but unfortunely
they don't go into enough detail about how to correct this issue. I wish I
worked for a large company that had training and many IT people but
unfortunely that's not the case. I'm the entire IT department, so it's jack
of all trades master of none. I will look at your answer do some more
research after I get back setting up a new domain in remote office and see
what I can do. In the mean time you keep being a n expert for us "green"
working people. Thanks

 

[Cary Shultz [A.D. MVP]]

Brian,

Please do not misunderstand Joe's comments. I am not going to attempt to
put words in Joe's mouth - he is a big boy and can take care of that
himself.

I think what Joe was trying to get across to you is that there were several
very basic things of which you were not aware. This would usually not be a
good thing. It does not have to be a bad thing, but it is not a good thing.
Generally speaking. There are a lot of 'IT Departments' full of people who
know how to format a Word Document or create a pivot table in Excel. This
does not make them Systems Administrators. This makes them Help Desk.
Usually because of their 'advanced computer skills' they are placed in the
IT Department. But they should really be in the Help Desk department.
Granted, if you work for a small company then it is often the case that the
IT Department is also the Help Desk Department.

Reading books is a good thing, but usually - as you are finding out - leaves
several things uncovered. You are correct in that most of the books are
terribly lacking in detailed information. They cover the top layer very
well. And that is important. But they usually do not go much deeper than
that. You might want to look at 'Inside Active Directory' for a really
really really good book on WIN2000 Active Directory.

And working in a test lab is very important. When I started out with Active
Directory this is what I did. Set up a test lab with two domain controllers
and two workstations. Do not even worry about Exchange for the moment. read
the posts in this newsgroup as well as in the group policy news group and
play with things in your test environment and then intentionally break
things so that you get a feel for 'this happens if that happened' type
stuff.

Also, install the Support Tools from the Service Pack CD-Media. Become
familiar with dcdiag, netdiag, repadmin, replmon, netdom and nltest. There
are several others of great help but start with these. You might also want
to go to Joe's web site and look at his tools ( adfind and oldcmp are two
very useful tools ).

Joe is one of the best in the world. Yep! In the world. Not in this state
or in this country or on this continent. In the world. When you deal with
the environments that he has you have to know everything inside and out.
Just like you know how to ride a bike and how to put food in your mouth when
it is dark ( without stabbing yourself in the lip or cheek )!

I really do not think that Joe was trying to disparage you. I have often
told people that they were a bit inexperienced and might be better off not
being the one to do what needed to be done.

As long as everything is working just fine anyone can be a Sys Admin. But
what happens when things do not?


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Joe Richards [MVP]]

Brian, take a look at the following

1. O'Reilly Active Directory, 2e
2. O'Reilly Active Directory Cookbook
3. Addison Wesley Inside Active Directory: A System Administrator's Guide, 2e.


These are some of the best books out there right now for AD Admin level stuff.
The first book is a great primer for learning core concepts. The second book has
a ton of scripts and GUI solutions to various problems. The third book is a
great in depth book on AD and will teach you probably more than you ever want to
know.

I haven't read #1 though I read the first edition of it. I am sure Robbie did a
great treatment of it though in the second edition and doubt it is worse than it
was when I read it. I was a technical reviewer for both #2 and #3 and I know the
content is great in both of them.

The big thing about AD is that it isn't NT. In that, I mean that you really
didn't need to know too much to run an NT domain, anyone could fire it up and it
would generally work. However it was extremely limited. AD came along and
removed the limitations and gave a lot more flexibility but also added a bunch
of complexity. In order to do it well, you have to spend a good amount of time
working on it. I have spent the last 5 years working on it, I didn't get to
where I am from training and having large IT departments. I simply worked with
it. In fact, large companies aren't all that great about sending people to
training and in the three positions I have held running domains I have been one
of 3-5 people responsible for domains holding anywhere from 2000-250,000 users
and from 10-400 domain controllers. Not large groups of admins by any stretch of
the word. It actually forces you to be really good.


joe

 

[Joe Richards [MVP]]

Thanks Cary, however it isn't so much knowing how everything works as it is
having an understanding of the basics and working through logically how the rest
of it fits together. Often there are problems that I get brought in to look at
and I simple fall back to the basics and try to figure out what basic item isn't
configured properly or is screwing up.

joe

 

[Herb Martin]

Add Gary Olsen's (New Riders I believe)
"Active Directory Design and Deployment"
to the list.

It may actually be the best of the bunch but it
is very old now so it is mostly about those
GOOD FUNDAMENTALS that one needs
and which Joe referenced.

 

[ptwilliams]

If in depth understanding is what you're after, then there's also the
Resource Kit ;-). It's fatter than most, and quite dry in parts, but
complemented with Inside... by Kouti and Seitsonen and you've got it all...

Herb, Joe, Cary,

Have any of you looked at AD Forestry?

http://www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref=pd_sim_b_dp_5/202-4807295-4545454


I've heard that it's good, and was hoping one of the guys in work would buy
it so I could have a nose without needing to charge it to my card ;-)


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Add Gary Olsen's (New Riders I believe)
"Active Directory Design and Deployment"
to the list.

It may actually be the best of the bunch but it
is very old now so it is mostly about those
GOOD FUNDAMENTALS that one needs
and which Joe referenced.

 

[Jimmy Andersson [MVP]]

I have that book, it's ok - no more no less, but that's just my 2 cents.
Kouti and Seitsonen's book is much better...

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Guest]

Check out Microsoft article ID :294952
How to delegate the unlock right.