Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Delegate Control of OU in AD 2008
Delegate Control of OU in AD 2008 [message #384868] Fri, 05 February 2010 05:50 Go to next message
Roger McCarrick  is currently offline Roger McCarrick  United States
Messages: 1
Registered: February 2010
Junior Member
I have a 2008 Active Directory

mycompany.local
NewYork
Computers
Groups
Users

So I want to Delegate control Of the NewYork OU to the NYIT security
group and for those permissions to apply to all OUs under New York.
I just want to eliminate the ability to create users. They can reset
and change passwords, edit account info, disable and enable accounts.

I did: Right click New York
Select Delegate Control
Add DOMAIN\NYIT

select "Delegate the following common tasks:"
Select the following permissions
Reset user passwords and force password change at next logon
Read all user information
Generate Resultant Set of Policy (Planning)
Create, delete and manage groups
Modify the membership of a group
Manage Group Policy Links
Generate Resultant Set of Policy (Logging)
Reset inetOrgPerson passwords and force password change at next logon
Read all inetOrgPerson information


But it seems the members were unable to reset passwords or enable
accounts.

Whats the best way to do this?

thanks
Re: Delegate Control of OU in AD 2008 [message #384876 is a reply to message #384868] Fri, 05 February 2010 06:02 Go to previous message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Roger,

That is the way to do it. Are the accounts they try to reset the password
higher level accounts than themself?

See here about allowing account lockout:
http://support.microsoft.com/kb/294952/en-us

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a 2008 Active Directory
>
> mycompany.local
> NewYork
> Computers
> Groups
> Users
> So I want to Delegate control Of the NewYork OU to the NYIT security
> group and for those permissions to apply to all OUs under New York. I
> just want to eliminate the ability to create users. They can reset and
> change passwords, edit account info, disable and enable accounts.
>
> I did: Right click New York
> Select Delegate Control
> Add DOMAIN\NYIT
> select "Delegate the following common tasks:"
> Select the following permissions
> Reset user passwords and force password change at next logon
> Read all user information
> Generate Resultant Set of Policy (Planning)
> Create, delete and manage groups
> Modify the membership of a group
> Manage Group Policy Links
> Generate Resultant Set of Policy (Logging)
> Reset inetOrgPerson passwords and force password change at next logon
> Read all inetOrgPerson information
> But it seems the members were unable to reset passwords or enable
> accounts.
>
> Whats the best way to do this?
>
> thanks
>
Previous Topic:ADFS 2.0 Windows Service fails to start
Next Topic:Compatibility with Active Directory 2008 & 2008 R2
Goto Forum:
  


Current Time: Tue Jan 23 16:22:52 MST 2018

Total time taken to generate the page: 0.09935 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software