Thanks for the info. Would you know what
permissions need to be set if we want to give them the right to ONLY enable an
account if it’s disbled?
Thanks again.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, December 28, 2004
9:41 AM
To:
Subject: RE: [ActiveDir]
Delegation of Control Wizard
Well it is the same in 2K and K3. You give
the following permissions
WRITE lockoutTime
CA Reset
Password
You can do that with subinacl or adsiedit
or ADUC (using dssec.dat mods).
All permissioning in AD should be to
security groups and you add people to security groups. One thing you don't want
to do that I have been seeing a lot of lately is 10 different groups with reset
password. Secure the resource with a resource specific group and then add
people/groups to that resource group.... I.E. If you have some people that can
unlock, some can reset, have two groups. One for unlock, one for reset. If
people who can unlock can reset, use one group.
You should do these delegations at the OU
level, not piecemeal user by user.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan
Sent: Tuesday, December 28, 2004
9:34 AM
To:
Subject: [ActiveDir] Delegation of
Control Wizard
We are looking to give our helpdesk only the rights to reset
passwords and unlock accounts. We found that in Win2k that this was
difficult to do using the Delegation of Control Wizard, so we did it using a
security group. But now, I’ve been reading that it should be much
easier in Win2k3. Does anyone know the exact permissions that we would
need to give our helpdesk so that the only thing they can do reset passwords
and unlock accounts?
Thanks.
Alan
Olegario
Tiffany
& Co.
The
information contained in this email message may be privileged, confidential,
and protected from disclosure. Any unauthorized use, printing, copying,
disclosure, dissemination of or reliance upon this communication by persons
other than the intended recipient may be subject to legal restriction or sanction.
If you think that you have received this E-mail message in error, please reply
to the sender and delete this email promptly.
The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly.
