Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Giving rights to a group to reset and unlock users in a AD domain
Giving rights to a group to reset and unlock users in a AD domain [message #157442] Tue, 07 July 2009 13:05 Go to next message
sqldbaguy  is currently offline sqldbaguy  United States
Messages: 1
Registered: July 2009
Junior Member
Hi guys,

Im new here. I have a problem that I hope you guys can help with. Our
A.D. guy has quit so they are giving me (the SQL DBA guy) the
responsibilities.

I am trying to add this group of users, who we are calling the "Account
Password Reset group" and I need to give them the right to reset any
user password, and also unlock a user in the domain. The only problem
is, when I add that group under Account Operators it doesn't work. My
users get an Access Denied error or something like that. And they can
only reset and unlock users within their own "Account Password Reset
group". It works when I put them under Domain Admin group, but those
privileges are too broad, and our director does not want them with all
those rights. Is there another built in group I could use, or a way to
modify their rights so they can have privileges to unlock and reset user
accounts?

Please help me, I have to have this fixed very soon and I dont need to
lose my job with the way the market is right now. Please help me.

Thanks


--
sqldbaguy
------------------------------------------------------------ ------------
sqldbaguy's Profile: http://forums.techarena.in/members/112384.htm
View this thread: http://forums.techarena.in/active-directory/1209623.htm

http://forums.techarena.in
Re: Giving rights to a group to reset and unlock users in a AD domain [message #157445 is a reply to message #157442] Tue, 07 July 2009 13:30 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

sqldbaguy schrieb:
> Im new here. I have a problem that I hope you guys can help with. Our
> A.D. guy has quit so they are giving me (the SQL DBA guy) the
> responsibilities.
>
> I am trying to add this group of users, who we are calling the "Account
> Password Reset group" and I need to give them the right to reset any
> user password, and also unlock a user in the domain. The only problem
> is, when I add that group under Account Operators it doesn't work.

Don't use the built-in groups. Create a new security group for those
users and put the password reset folks in there.

After that, right-click the OU the user accounts you want grant reset
access to are in, choose "Delegate Control...", choose the newly created
group and choose the "Reset password and force password reset...". That
should do the trick.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Giving rights to a group to reset and unlock users in a AD domain [message #157455 is a reply to message #157442] Tue, 07 July 2009 15:30 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello sqldbaguy,

To reset password use the "delgate control" wizard and also use the settings
in the article to give the permissions to unlock accounts:
http://support.microsoft.com/kb/294952/en-us

Do not use the builtin groups for that, create your own security group. The
AdminSDHolder process runs on some protected groups and removes delegated
permissions and inheritance if set. See also:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981. aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi guys,
>
> Im new here. I have a problem that I hope you guys can help with. Our
> A.D. guy has quit so they are giving me (the SQL DBA guy) the
> responsibilities.
>
> I am trying to add this group of users, who we are calling the
> "Account Password Reset group" and I need to give them the right to
> reset any user password, and also unlock a user in the domain. The
> only problem is, when I add that group under Account Operators it
> doesn't work. My users get an Access Denied error or something like
> that. And they can only reset and unlock users within their own
> "Account Password Reset group". It works when I put them under Domain
> Admin group, but those privileges are too broad, and our director does
> not want them with all those rights. Is there another built in group I
> could use, or a way to modify their rights so they can have privileges
> to unlock and reset user accounts?
>
> Please help me, I have to have this fixed very soon and I dont need to
> lose my job with the way the market is right now. Please help me.
>
> Thanks
>
> http://forums.techarena.in
>
Previous Topic:Backup of DC - windows 2003
Next Topic:Server under NO LOAD -> ok for days ... eventually gets slow...
Goto Forum:
  


Current Time: Sat Oct 21 18:49:40 EDT 2017

Total time taken to generate the page: 0.04808 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software