Interesting I saw your solved post before I saw the question post. 1. Delegate "reset password" extended right
2. Delegate WP on pwdLastSet (so they can write a 0 to the attribute) 3. Delegate WP on lockoutTime (so they can write a 0 to the attribute) - note this is called unlocking, not enabling. Assuming a group name of UserAdmins you can do this all with one command line dsacls cn=users,dc=domain,dc=com /I:S /G "useradmins:CA;Reset Password;user" "useradmins:WP;pwdLastSet;user" "useradmins:WP;lockoutTime;user" joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, March 22, 2005 2:45 PM To: [email protected] Subject: RE: [ActiveDir] Ad delegation Solved... > I would like to delegate 3 actions to the technicians in the AD. The 2 > first are easy to set, the third is the one that cause me a problem. > > 1- reset the users password > 2- set the "must change password at next logon" > 3- enable account that was disabled due to the password policy (locked > after bad attempts) > > I looked in the security and the delegation tabs and I never saw > anything concrete about it. > > Anyone has an idea on how to achieve it? > > BTW it's a Win2k native domain. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
