Permission to reset, unlock user, etc...

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

I would like to give certain low level admin permissions to a couple of
people. Access to reset passwords, unlock an account, etc. What permission
and where should I do this at? I only have a single domain. Thank you.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

"KC <--" <kc@hp.com> wrote in message
news:Ou#cE#yNFHA.1268@TK2MSFTNGP14.phx.gbl...
> I would like to give certain low level admin permissions to a couple of
> people. Access to reset passwords, unlock an account, etc. What
permission
> and where should I do this at? I only have a single domain. Thank you.

The specific things you mention are easy to do in
AD Users/Computers by using the Delegation of
Control Wizard (right-click on an object, probably
an OU, and it's the top entry.)

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

"Herb Martin" wrote:

> "KC <--" <kc@hp.com> wrote in message
> news:Ou#cE#yNFHA.1268@TK2MSFTNGP14.phx.gbl...
> > I would like to give certain low level admin permissions to a couple of
> > people. Access to reset passwords, unlock an account, etc. What
> permission
> > and where should I do this at? I only have a single domain. Thank you.
>
> The specific things you mention are easy to do in
> AD Users/Computers by using the Delegation of
> Control Wizard (right-click on an object, probably
> an OU, and it's the top entry.)
>
>
>
>


Well what Martin says is pretty true..

Just start AD users and computers with Domain Admin account ( or any other
account which has authority to delegate control) then Right click on the OU (
on which you want to delegate control), and then see the options, they are
pretty straight forward...

but if you want to give the permission of ENABLE/DISABLE account, then you
need to dig into a lil further.. you need to go into CUSTOM TASK permissons
and then select USER OBJECT (from only these specific object) and then
select WRITE USERACCOUNTCONTROL.... this will give the permission to ENBALE
or DISABLE..

Cheers,.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Herb Martin wrote:

> "KC <--" <kc@hp.com> wrote in message
> news:Ou#cE#yNFHA.1268@TK2MSFTNGP14.phx.gbl...
> > I would like to give certain low level admin permissions to a couple of
> > people. Access to reset passwords, unlock an account, etc. What
> permission
> > and where should I do this at? I only have a single domain. Thank you.
>
> The specific things you mention are easy to do in
> AD Users/Computers by using the Delegation of
> Control Wizard (right-click on an object, probably
> an OU, and it's the top entry.)

Make sure you click on View in ADUC and check Advanced Features so that when
you right click on OUs and choose Properties you can view the Security ACLs on
the objects which are just like ACLs on files and directories. The delegation
wizard let's you add items but only by turning on the Security tab can you
edit/remove users/groups that you have added through the delegation wizard.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

Yes, the delegation of control wizard only has so many uses. However for
simple tasks it is fine. It's also a good place to start. After that
though, the only way to do this is through manually setting the atomic
permissions required on the object.

Search Microsoft's website for the delegation whitepaper. There are two
documents -the whitepaper and the appendixes. The appendixes, although
incorrect in some examples, are very helpful.

--

Paul Williams

http/www.msresource.net/
http/forums.msresource.net/

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (More info?)

In news:Ou%23cE%23yNFHA.1268@TK2MSFTNGP14.phx.gbl,
KC <-- <--" <kc@hp.com> commented
Then Kevin replied below:
> I would like to give certain low level admin permissions
> to a couple of people. Access to reset passwords, unlock
> an account, etc. What permission and where should I do
> this at? I only have a single domain. Thank you.

An Account operator should do just fine for this. Account operators can
administer domain user and group accounts

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http/www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http/home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http/www.oehelp.com/OEBackup/Default.aspx
===================================