You should need
For changing passwords without knowing old password
CA Change Password
For unlocking locked accounts
WP lockoutTime
For expiring passwords (force password to be changed on next logon)
WP pwdLastSet
Here is a dsacls command that will do the delegation (all one line)
dsacls BASE_DN /I:S /G "dom\grp:CA;Reset Password;user"
"dom\grp:WP;lockoutTime;user" "dom\grp:WP;pwdLastSet;user"
Ex:
dsacls cn=users,dc=joe,dc=com /I:S /G "joe\accounttechs:CA;Reset
Password;user" "joe\accounttechs:WP;lockoutTime;user"
"joe\accounttechs:WP;pwdLastSet;user"
I just tried this and it worked fine.
Things I would check if things aren't working fine.
1. Verify with dsacls dump the delegated permissions
2. Verify replication of the group to all DCs
3. Verify via whoami or sectok that the group is in the token of the user
attempting to make changes. This simply helps verify replication to the DC
that auth'ed the user.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, May 09, 2005 4:22 PM
To: [email protected]
Subject: [ActiveDir] Strange problem
Hi,
I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password even
if I gave the permission to do so (on the OU). All the get is Access denied
(and the check box to set the "change password a next logon" bit is grayed.
The permissions have been set in the security tab, using the Advanced view
of ADUC.
Here are the security settings for the Technicians group:
reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions
What I'm missing here?
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
