Sign in with
Sign up | Sign in
Your question

Unlock acct permissions

Last response: in Windows 2000/NT
Share
February 17, 2005 1:17:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

What permissions are necessary for a user to be able to unlock an account or
reset a password. I have an MMC created for user to reset passwords (will
this fix an account lockout?) in an OU. I have the user added to a admin
group I created for the OU. I continued to get access denised when try to
reset password. What permissions are necessary and where to access them as
the enterprose admin. Does password reset unlock an account or is that
seperate permissions? Thanks
Anonymous
February 17, 2005 4:51:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

How to grant help desk personnel the specific right to unlock user accounts:
http://support.microsoft.com/?kbid=279723

--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> What permissions are necessary for a user to be able to unlock an account
> or
> reset a password. I have an MMC created for user to reset passwords (will
> this fix an account lockout?) in an OU. I have the user added to a admin
> group I created for the OU. I continued to get access denised when try to
> reset password. What permissions are necessary and where to access them
> as
> the enterprose admin. Does password reset unlock an account or is that
> seperate permissions? Thanks
February 17, 2005 4:51:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks I applied both methods on article 279723 plus article 294952 and still
no access. The correct permissions are on the security group, the user I
added to the security group still cannot do anything with account unlock or
password reset. Where can I see the effective permissions of the user since
they are a memeber of this security group? The securty group is a memeber of
the built-in Account operators as well. Is there default deny on regular
users accounts that is blocking this? Any help in what this could be would
be appreciated. Thanks

"Laura E. Hunter (MVP)" wrote:

> How to grant help desk personnel the specific right to unlock user accounts:
> http://support.microsoft.com/?kbid=279723
>
> --
> Laura E. Hunter
> Microsoft MVP - Windows Server Networking
> All information provided "AS-IS", no warranties expressed or implied.
> Replies to newsgroup only.
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> > What permissions are necessary for a user to be able to unlock an account
> > or
> > reset a password. I have an MMC created for user to reset passwords (will
> > this fix an account lockout?) in an OU. I have the user added to a admin
> > group I created for the OU. I continued to get access denised when try to
> > reset password. What permissions are necessary and where to access them
> > as
> > the enterprose admin. Does password reset unlock an account or is that
> > seperate permissions? Thanks
>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
February 17, 2005 10:58:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

By any chance is the account they are trying to work on another enhanced user
account, say an account op or something? If so, look into adminSDHolder posts.
If not, look at the ACL with DSACLS and verify the delegation occurred as
expected and if it is correct (should be WP on lockoutTime) then have the admin
log off and log on and try again.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Brian wrote:
> Thanks I applied both methods on article 279723 plus article 294952 and still
> no access. The correct permissions are on the security group, the user I
> added to the security group still cannot do anything with account unlock or
> password reset. Where can I see the effective permissions of the user since
> they are a memeber of this security group? The securty group is a memeber of
> the built-in Account operators as well. Is there default deny on regular
> users accounts that is blocking this? Any help in what this could be would
> be appreciated. Thanks
>
> "Laura E. Hunter (MVP)" wrote:
>
>
>>How to grant help desk personnel the specific right to unlock user accounts:
>>http://support.microsoft.com/?kbid=279723
>>
>>--
>>Laura E. Hunter
>>Microsoft MVP - Windows Server Networking
>>All information provided "AS-IS", no warranties expressed or implied.
>>Replies to newsgroup only.
>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>>
>>>What permissions are necessary for a user to be able to unlock an account
>>>or
>>>reset a password. I have an MMC created for user to reset passwords (will
>>>this fix an account lockout?) in an OU. I have the user added to a admin
>>>group I created for the OU. I continued to get access denised when try to
>>>reset password. What permissions are necessary and where to access them
>>>as
>>>the enterprose admin. Does password reset unlock an account or is that
>>>seperate permissions? Thanks
>>
>>
>>
February 17, 2005 11:41:04 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I don't know what an enhanced accouint is. I'm just trying to give a user
account unlock permission for an OU by making them a member of a security
group in that OU with permission to unloack accounts. How to do the rest of
what your writing about I have no idea how to accomplish. How do I verify
delgation? How do I get DSACLS to run on a specific account? I guess it is
not possbile to make a sub-administrator, nothing I have done or been told
has made any difference. The permissions in the security do not seem to
apply to it's members. Every one will have to full admins unless I can make
this Windows permissions work as desired.

"Joe Richards [MVP]" wrote:

> By any chance is the account they are trying to work on another enhanced user
> account, say an account op or something? If so, look into adminSDHolder posts.
> If not, look at the ACL with DSACLS and verify the delegation occurred as
> expected and if it is correct (should be WP on lockoutTime) then have the admin
> log off and log on and try again.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > Thanks I applied both methods on article 279723 plus article 294952 and still
> > no access. The correct permissions are on the security group, the user I
> > added to the security group still cannot do anything with account unlock or
> > password reset. Where can I see the effective permissions of the user since
> > they are a memeber of this security group? The securty group is a memeber of
> > the built-in Account operators as well. Is there default deny on regular
> > users accounts that is blocking this? Any help in what this could be would
> > be appreciated. Thanks
> >
> > "Laura E. Hunter (MVP)" wrote:
> >
> >
> >>How to grant help desk personnel the specific right to unlock user accounts:
> >>http://support.microsoft.com/?kbid=279723
> >>
> >>--
> >>Laura E. Hunter
> >>Microsoft MVP - Windows Server Networking
> >>All information provided "AS-IS", no warranties expressed or implied.
> >>Replies to newsgroup only.
> >>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>
> >>>What permissions are necessary for a user to be able to unlock an account
> >>>or
> >>>reset a password. I have an MMC created for user to reset passwords (will
> >>>this fix an account lockout?) in an OU. I have the user added to a admin
> >>>group I created for the OU. I continued to get access denised when try to
> >>>reset password. What permissions are necessary and where to access them
> >>>as
> >>>the enterprose admin. Does password reset unlock an account or is that
> >>>seperate permissions? Thanks
> >>
> >>
> >>
>
Anonymous
February 19, 2005 3:42:42 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

This stuff works as designed, trust me, I have built an enterprise class
directory (>250,000 users) and worked on several other enterprise class
directories (>100k).

dsacls is a tool in the support tools. If you have them installed you should
simply be able to type

dsacls DN_OF_OBJECT

and it will show you the actual ACL on an AD Object.


If you want to quickly check if the adminSDHolder functionality is causing
issues, go grab adfind from my website and run the following command

adfind -default -f samaccountname=userid admincount

If there is a value returned and it isn't 0, that means you are being impacted
by adminSDHolder and you should search google for that term.

Overall you appear to be a very "green" admin and you should buy one or more
books and learn this stuff before you do too much more. You need to get a handle
on the basic concepts and thoughts before you hurt yourself by giving too many
rights in the forest to others.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Brian wrote:
> I don't know what an enhanced accouint is. I'm just trying to give a user
> account unlock permission for an OU by making them a member of a security
> group in that OU with permission to unloack accounts. How to do the rest of
> what your writing about I have no idea how to accomplish. How do I verify
> delgation? How do I get DSACLS to run on a specific account? I guess it is
> not possbile to make a sub-administrator, nothing I have done or been told
> has made any difference. The permissions in the security do not seem to
> apply to it's members. Every one will have to full admins unless I can make
> this Windows permissions work as desired.
>
> "Joe Richards [MVP]" wrote:
>
>
>>By any chance is the account they are trying to work on another enhanced user
>>account, say an account op or something? If so, look into adminSDHolder posts.
>>If not, look at the ACL with DSACLS and verify the delegation occurred as
>>expected and if it is correct (should be WP on lockoutTime) then have the admin
>>log off and log on and try again.
>>
>> joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Brian wrote:
>>
>>>Thanks I applied both methods on article 279723 plus article 294952 and still
>>>no access. The correct permissions are on the security group, the user I
>>>added to the security group still cannot do anything with account unlock or
>>>password reset. Where can I see the effective permissions of the user since
>>>they are a memeber of this security group? The securty group is a memeber of
>>>the built-in Account operators as well. Is there default deny on regular
>>>users accounts that is blocking this? Any help in what this could be would
>>>be appreciated. Thanks
>>>
>>>"Laura E. Hunter (MVP)" wrote:
>>>
>>>
>>>
>>>>How to grant help desk personnel the specific right to unlock user accounts:
>>>>http://support.microsoft.com/?kbid=279723
>>>>
>>>>--
>>>>Laura E. Hunter
>>>>Microsoft MVP - Windows Server Networking
>>>>All information provided "AS-IS", no warranties expressed or implied.
>>>>Replies to newsgroup only.
>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>>>>
>>>>
>>>>>What permissions are necessary for a user to be able to unlock an account
>>>>>or
>>>>>reset a password. I have an MMC created for user to reset passwords (will
>>>>>this fix an account lockout?) in an OU. I have the user added to a admin
>>>>>group I created for the OU. I continued to get access denised when try to
>>>>>reset password. What permissions are necessary and where to access them
>>>>>as
>>>>>the enterprose admin. Does password reset unlock an account or is that
>>>>>seperate permissions? Thanks
>>>>
>>>>
>>>>
February 21, 2005 8:37:02 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You know Joe I have many Windows books and have read them but unfortunely
they don't go into enough detail about how to correct this issue. I wish I
worked for a large company that had training and many IT people but
unfortunely that's not the case. I'm the entire IT department, so it's jack
of all trades master of none. I will look at your answer do some more
research after I get back setting up a new domain in remote office and see
what I can do. In the mean time you keep being a n expert for us "green"
working people. Thanks

"Joe Richards [MVP]" wrote:

> This stuff works as designed, trust me, I have built an enterprise class
> directory (>250,000 users) and worked on several other enterprise class
> directories (>100k).
>
> dsacls is a tool in the support tools. If you have them installed you should
> simply be able to type
>
> dsacls DN_OF_OBJECT
>
> and it will show you the actual ACL on an AD Object.
>
>
> If you want to quickly check if the adminSDHolder functionality is causing
> issues, go grab adfind from my website and run the following command
>
> adfind -default -f samaccountname=userid admincount
>
> If there is a value returned and it isn't 0, that means you are being impacted
> by adminSDHolder and you should search google for that term.
>
> Overall you appear to be a very "green" admin and you should buy one or more
> books and learn this stuff before you do too much more. You need to get a handle
> on the basic concepts and thoughts before you hurt yourself by giving too many
> rights in the forest to others.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > I don't know what an enhanced accouint is. I'm just trying to give a user
> > account unlock permission for an OU by making them a member of a security
> > group in that OU with permission to unloack accounts. How to do the rest of
> > what your writing about I have no idea how to accomplish. How do I verify
> > delgation? How do I get DSACLS to run on a specific account? I guess it is
> > not possbile to make a sub-administrator, nothing I have done or been told
> > has made any difference. The permissions in the security do not seem to
> > apply to it's members. Every one will have to full admins unless I can make
> > this Windows permissions work as desired.
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>By any chance is the account they are trying to work on another enhanced user
> >>account, say an account op or something? If so, look into adminSDHolder posts.
> >>If not, look at the ACL with DSACLS and verify the delegation occurred as
> >>expected and if it is correct (should be WP on lockoutTime) then have the admin
> >>log off and log on and try again.
> >>
> >> joe
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Brian wrote:
> >>
> >>>Thanks I applied both methods on article 279723 plus article 294952 and still
> >>>no access. The correct permissions are on the security group, the user I
> >>>added to the security group still cannot do anything with account unlock or
> >>>password reset. Where can I see the effective permissions of the user since
> >>>they are a memeber of this security group? The securty group is a memeber of
> >>>the built-in Account operators as well. Is there default deny on regular
> >>>users accounts that is blocking this? Any help in what this could be would
> >>>be appreciated. Thanks
> >>>
> >>>"Laura E. Hunter (MVP)" wrote:
> >>>
> >>>
> >>>
> >>>>How to grant help desk personnel the specific right to unlock user accounts:
> >>>>http://support.microsoft.com/?kbid=279723
> >>>>
> >>>>--
> >>>>Laura E. Hunter
> >>>>Microsoft MVP - Windows Server Networking
> >>>>All information provided "AS-IS", no warranties expressed or implied.
> >>>>Replies to newsgroup only.
> >>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>>>
> >>>>
> >>>>>What permissions are necessary for a user to be able to unlock an account
> >>>>>or
> >>>>>reset a password. I have an MMC created for user to reset passwords (will
> >>>>>this fix an account lockout?) in an OU. I have the user added to a admin
> >>>>>group I created for the OU. I continued to get access denised when try to
> >>>>>reset password. What permissions are necessary and where to access them
> >>>>>as
> >>>>>the enterprose admin. Does password reset unlock an account or is that
> >>>>>seperate permissions? Thanks
> >>>>
> >>>>
> >>>>
>
Anonymous
February 21, 2005 12:14:38 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Brian,

Please do not misunderstand Joe's comments. I am not going to attempt to
put words in Joe's mouth - he is a big boy and can take care of that
himself.

I think what Joe was trying to get across to you is that there were several
very basic things of which you were not aware. This would usually not be a
good thing. It does not have to be a bad thing, but it is not a good thing.
Generally speaking. There are a lot of 'IT Departments' full of people who
know how to format a Word Document or create a pivot table in Excel. This
does not make them Systems Administrators. This makes them Help Desk.
Usually because of their 'advanced computer skills' they are placed in the
IT Department. But they should really be in the Help Desk department.
Granted, if you work for a small company then it is often the case that the
IT Department is also the Help Desk Department.

Reading books is a good thing, but usually - as you are finding out - leaves
several things uncovered. You are correct in that most of the books are
terribly lacking in detailed information. They cover the top layer very
well. And that is important. But they usually do not go much deeper than
that. You might want to look at 'Inside Active Directory' for a really
really really good book on WIN2000 Active Directory.

And working in a test lab is very important. When I started out with Active
Directory this is what I did. Set up a test lab with two domain controllers
and two workstations. Do not even worry about Exchange for the moment. read
the posts in this newsgroup as well as in the group policy news group and
play with things in your test environment and then intentionally break
things so that you get a feel for 'this happens if that happened' type
stuff.

Also, install the Support Tools from the Service Pack CD-Media. Become
familiar with dcdiag, netdiag, repadmin, replmon, netdom and nltest. There
are several others of great help but start with these. You might also want
to go to Joe's web site and look at his tools ( adfind and oldcmp are two
very useful tools ).

Joe is one of the best in the world. Yep! In the world. Not in this state
or in this country or on this continent. In the world. When you deal with
the environments that he has you have to know everything inside and out.
Just like you know how to ride a bike and how to put food in your mouth when
it is dark ( without stabbing yourself in the lip or cheek )!

I really do not think that Joe was trying to disparage you. I have often
told people that they were a bit inexperienced and might be better off not
being the one to do what needed to be done.

As long as everything is working just fine anyone can be a Sys Admin. But
what happens when things do not?


--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Brian" <Brian@discussions.microsoft.com> wrote in message
news:00C639B9-42AE-4DAE-8049-A4293D522A07@microsoft.com...
> You know Joe I have many Windows books and have read them but unfortunely
> they don't go into enough detail about how to correct this issue. I wish
> I
> worked for a large company that had training and many IT people but
> unfortunely that's not the case. I'm the entire IT department, so it's
> jack
> of all trades master of none. I will look at your answer do some more
> research after I get back setting up a new domain in remote office and see
> what I can do. In the mean time you keep being a n expert for us "green"
> working people. Thanks
>
> "Joe Richards [MVP]" wrote:
>
>> This stuff works as designed, trust me, I have built an enterprise class
>> directory (>250,000 users) and worked on several other enterprise class
>> directories (>100k).
>>
>> dsacls is a tool in the support tools. If you have them installed you
>> should
>> simply be able to type
>>
>> dsacls DN_OF_OBJECT
>>
>> and it will show you the actual ACL on an AD Object.
>>
>>
>> If you want to quickly check if the adminSDHolder functionality is
>> causing
>> issues, go grab adfind from my website and run the following command
>>
>> adfind -default -f samaccountname=userid admincount
>>
>> If there is a value returned and it isn't 0, that means you are being
>> impacted
>> by adminSDHolder and you should search google for that term.
>>
>> Overall you appear to be a very "green" admin and you should buy one or
>> more
>> books and learn this stuff before you do too much more. You need to get a
>> handle
>> on the basic concepts and thoughts before you hurt yourself by giving too
>> many
>> rights in the forest to others.
>>
>> joe
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Brian wrote:
>> > I don't know what an enhanced accouint is. I'm just trying to give a
>> > user
>> > account unlock permission for an OU by making them a member of a
>> > security
>> > group in that OU with permission to unloack accounts. How to do the
>> > rest of
>> > what your writing about I have no idea how to accomplish. How do I
>> > verify
>> > delgation? How do I get DSACLS to run on a specific account? I guess
>> > it is
>> > not possbile to make a sub-administrator, nothing I have done or been
>> > told
>> > has made any difference. The permissions in the security do not seem
>> > to
>> > apply to it's members. Every one will have to full admins unless I can
>> > make
>> > this Windows permissions work as desired.
>> >
>> > "Joe Richards [MVP]" wrote:
>> >
>> >
>> >>By any chance is the account they are trying to work on another
>> >>enhanced user
>> >>account, say an account op or something? If so, look into adminSDHolder
>> >>posts.
>> >>If not, look at the ACL with DSACLS and verify the delegation occurred
>> >>as
>> >>expected and if it is correct (should be WP on lockoutTime) then have
>> >>the admin
>> >>log off and log on and try again.
>> >>
>> >> joe
>> >>
>> >>--
>> >>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>www.joeware.net
>> >>
>> >>
>> >>Brian wrote:
>> >>
>> >>>Thanks I applied both methods on article 279723 plus article 294952
>> >>>and still
>> >>>no access. The correct permissions are on the security group, the
>> >>>user I
>> >>>added to the security group still cannot do anything with account
>> >>>unlock or
>> >>>password reset. Where can I see the effective permissions of the user
>> >>>since
>> >>>they are a memeber of this security group? The securty group is a
>> >>>memeber of
>> >>>the built-in Account operators as well. Is there default deny on
>> >>>regular
>> >>>users accounts that is blocking this? Any help in what this could be
>> >>>would
>> >>>be appreciated. Thanks
>> >>>
>> >>>"Laura E. Hunter (MVP)" wrote:
>> >>>
>> >>>
>> >>>
>> >>>>How to grant help desk personnel the specific right to unlock user
>> >>>>accounts:
>> >>>>http://support.microsoft.com/?kbid=279723
>> >>>>
>> >>>>--
>> >>>>Laura E. Hunter
>> >>>>Microsoft MVP - Windows Server Networking
>> >>>>All information provided "AS-IS", no warranties expressed or implied.
>> >>>>Replies to newsgroup only.
>> >>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>> >>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>> >>>>
>> >>>>
>> >>>>>What permissions are necessary for a user to be able to unlock an
>> >>>>>account
>> >>>>>or
>> >>>>>reset a password. I have an MMC created for user to reset passwords
>> >>>>>(will
>> >>>>>this fix an account lockout?) in an OU. I have the user added to a
>> >>>>>admin
>> >>>>>group I created for the OU. I continued to get access denised when
>> >>>>>try to
>> >>>>>reset password. What permissions are necessary and where to access
>> >>>>>them
>> >>>>>as
>> >>>>>the enterprose admin. Does password reset unlock an account or is
>> >>>>>that
>> >>>>>seperate permissions? Thanks
>> >>>>
>> >>>>
>> >>>>
>>
Anonymous
February 25, 2005 7:30:47 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Brian, take a look at the following

1. O'Reilly Active Directory, 2e
2. O'Reilly Active Directory Cookbook
3. Addison Wesley Inside Active Directory: A System Administrator's Guide, 2e.


These are some of the best books out there right now for AD Admin level stuff.
The first book is a great primer for learning core concepts. The second book has
a ton of scripts and GUI solutions to various problems. The third book is a
great in depth book on AD and will teach you probably more than you ever want to
know.

I haven't read #1 though I read the first edition of it. I am sure Robbie did a
great treatment of it though in the second edition and doubt it is worse than it
was when I read it. I was a technical reviewer for both #2 and #3 and I know the
content is great in both of them.

The big thing about AD is that it isn't NT. In that, I mean that you really
didn't need to know too much to run an NT domain, anyone could fire it up and it
would generally work. However it was extremely limited. AD came along and
removed the limitations and gave a lot more flexibility but also added a bunch
of complexity. In order to do it well, you have to spend a good amount of time
working on it. I have spent the last 5 years working on it, I didn't get to
where I am from training and having large IT departments. I simply worked with
it. In fact, large companies aren't all that great about sending people to
training and in the three positions I have held running domains I have been one
of 3-5 people responsible for domains holding anywhere from 2000-250,000 users
and from 10-400 domain controllers. Not large groups of admins by any stretch of
the word. It actually forces you to be really good.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Brian wrote:
> You know Joe I have many Windows books and have read them but unfortunely
> they don't go into enough detail about how to correct this issue. I wish I
> worked for a large company that had training and many IT people but
> unfortunely that's not the case. I'm the entire IT department, so it's jack
> of all trades master of none. I will look at your answer do some more
> research after I get back setting up a new domain in remote office and see
> what I can do. In the mean time you keep being a n expert for us "green"
> working people. Thanks
>
> "Joe Richards [MVP]" wrote:
>
>
>>This stuff works as designed, trust me, I have built an enterprise class
>>directory (>250,000 users) and worked on several other enterprise class
>>directories (>100k).
>>
>>dsacls is a tool in the support tools. If you have them installed you should
>>simply be able to type
>>
>>dsacls DN_OF_OBJECT
>>
>>and it will show you the actual ACL on an AD Object.
>>
>>
>>If you want to quickly check if the adminSDHolder functionality is causing
>>issues, go grab adfind from my website and run the following command
>>
>>adfind -default -f samaccountname=userid admincount
>>
>>If there is a value returned and it isn't 0, that means you are being impacted
>>by adminSDHolder and you should search google for that term.
>>
>>Overall you appear to be a very "green" admin and you should buy one or more
>>books and learn this stuff before you do too much more. You need to get a handle
>>on the basic concepts and thoughts before you hurt yourself by giving too many
>>rights in the forest to others.
>>
>> joe
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Brian wrote:
>>
>>>I don't know what an enhanced accouint is. I'm just trying to give a user
>>>account unlock permission for an OU by making them a member of a security
>>>group in that OU with permission to unloack accounts. How to do the rest of
>>>what your writing about I have no idea how to accomplish. How do I verify
>>>delgation? How do I get DSACLS to run on a specific account? I guess it is
>>>not possbile to make a sub-administrator, nothing I have done or been told
>>>has made any difference. The permissions in the security do not seem to
>>>apply to it's members. Every one will have to full admins unless I can make
>>>this Windows permissions work as desired.
>>>
>>>"Joe Richards [MVP]" wrote:
>>>
>>>
>>>
>>>>By any chance is the account they are trying to work on another enhanced user
>>>>account, say an account op or something? If so, look into adminSDHolder posts.
>>>>If not, look at the ACL with DSACLS and verify the delegation occurred as
>>>>expected and if it is correct (should be WP on lockoutTime) then have the admin
>>>>log off and log on and try again.
>>>>
>>>> joe
>>>>
>>>>--
>>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>>www.joeware.net
>>>>
>>>>
>>>>Brian wrote:
>>>>
>>>>
>>>>>Thanks I applied both methods on article 279723 plus article 294952 and still
>>>>>no access. The correct permissions are on the security group, the user I
>>>>>added to the security group still cannot do anything with account unlock or
>>>>>password reset. Where can I see the effective permissions of the user since
>>>>>they are a memeber of this security group? The securty group is a memeber of
>>>>>the built-in Account operators as well. Is there default deny on regular
>>>>>users accounts that is blocking this? Any help in what this could be would
>>>>>be appreciated. Thanks
>>>>>
>>>>>"Laura E. Hunter (MVP)" wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>How to grant help desk personnel the specific right to unlock user accounts:
>>>>>>http://support.microsoft.com/?kbid=279723
>>>>>>
>>>>>>--
>>>>>>Laura E. Hunter
>>>>>>Microsoft MVP - Windows Server Networking
>>>>>>All information provided "AS-IS", no warranties expressed or implied.
>>>>>>Replies to newsgroup only.
>>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>>>>>>
>>>>>>
>>>>>>
>>>>>>>What permissions are necessary for a user to be able to unlock an account
>>>>>>>or
>>>>>>>reset a password. I have an MMC created for user to reset passwords (will
>>>>>>>this fix an account lockout?) in an OU. I have the user added to a admin
>>>>>>>group I created for the OU. I continued to get access denised when try to
>>>>>>>reset password. What permissions are necessary and where to access them
>>>>>>>as
>>>>>>>the enterprose admin. Does password reset unlock an account or is that
>>>>>>>seperate permissions? Thanks
>>>>>>
>>>>>>
>>>>>>
Anonymous
February 25, 2005 7:30:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Add Gary Olsen's (New Riders I believe)
"Active Directory Design and Deployment"
to the list.

It may actually be the best of the bunch but it
is very old now so it is mostly about those
GOOD FUNDAMENTALS that one needs
and which Joe referenced.



--
Herb Martin


"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:o RybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl...
> Brian, take a look at the following
>
> 1. O'Reilly Active Directory, 2e
> 2. O'Reilly Active Directory Cookbook
> 3. Addison Wesley Inside Active Directory: A System Administrator's Guide,
2e.
>
>
> These are some of the best books out there right now for AD Admin level
stuff.
> The first book is a great primer for learning core concepts. The second
book has
> a ton of scripts and GUI solutions to various problems. The third book is
a
> great in depth book on AD and will teach you probably more than you ever
want to
> know.
>
> I haven't read #1 though I read the first edition of it. I am sure Robbie
did a
> great treatment of it though in the second edition and doubt it is worse
than it
> was when I read it. I was a technical reviewer for both #2 and #3 and I
know the
> content is great in both of them.
>
> The big thing about AD is that it isn't NT. In that, I mean that you
really
> didn't need to know too much to run an NT domain, anyone could fire it up
and it
> would generally work. However it was extremely limited. AD came along and
> removed the limitations and gave a lot more flexibility but also added a
bunch
> of complexity. In order to do it well, you have to spend a good amount of
time
> working on it. I have spent the last 5 years working on it, I didn't get
to
> where I am from training and having large IT departments. I simply worked
with
> it. In fact, large companies aren't all that great about sending people to
> training and in the three positions I have held running domains I have
been one
> of 3-5 people responsible for domains holding anywhere from 2000-250,000
users
> and from 10-400 domain controllers. Not large groups of admins by any
stretch of
> the word. It actually forces you to be really good.
>
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > You know Joe I have many Windows books and have read them but
unfortunely
> > they don't go into enough detail about how to correct this issue. I
wish I
> > worked for a large company that had training and many IT people but
> > unfortunely that's not the case. I'm the entire IT department, so it's
jack
> > of all trades master of none. I will look at your answer do some more
> > research after I get back setting up a new domain in remote office and
see
> > what I can do. In the mean time you keep being a n expert for us
"green"
> > working people. Thanks
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>This stuff works as designed, trust me, I have built an enterprise class
> >>directory (>250,000 users) and worked on several other enterprise class
> >>directories (>100k).
> >>
> >>dsacls is a tool in the support tools. If you have them installed you
should
> >>simply be able to type
> >>
> >>dsacls DN_OF_OBJECT
> >>
> >>and it will show you the actual ACL on an AD Object.
> >>
> >>
> >>If you want to quickly check if the adminSDHolder functionality is
causing
> >>issues, go grab adfind from my website and run the following command
> >>
> >>adfind -default -f samaccountname=userid admincount
> >>
> >>If there is a value returned and it isn't 0, that means you are being
impacted
> >>by adminSDHolder and you should search google for that term.
> >>
> >>Overall you appear to be a very "green" admin and you should buy one or
more
> >>books and learn this stuff before you do too much more. You need to get
a handle
> >>on the basic concepts and thoughts before you hurt yourself by giving
too many
> >>rights in the forest to others.
> >>
> >> joe
> >>
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Brian wrote:
> >>
> >>>I don't know what an enhanced accouint is. I'm just trying to give a
user
> >>>account unlock permission for an OU by making them a member of a
security
> >>>group in that OU with permission to unloack accounts. How to do the
rest of
> >>>what your writing about I have no idea how to accomplish. How do I
verify
> >>>delgation? How do I get DSACLS to run on a specific account? I guess
it is
> >>>not possbile to make a sub-administrator, nothing I have done or been
told
> >>>has made any difference. The permissions in the security do not seem
to
> >>>apply to it's members. Every one will have to full admins unless I can
make
> >>>this Windows permissions work as desired.
> >>>
> >>>"Joe Richards [MVP]" wrote:
> >>>
> >>>
> >>>
> >>>>By any chance is the account they are trying to work on another
enhanced user
> >>>>account, say an account op or something? If so, look into
adminSDHolder posts.
> >>>>If not, look at the ACL with DSACLS and verify the delegation occurred
as
> >>>>expected and if it is correct (should be WP on lockoutTime) then have
the admin
> >>>>log off and log on and try again.
> >>>>
> >>>> joe
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>Brian wrote:
> >>>>
> >>>>
> >>>>>Thanks I applied both methods on article 279723 plus article 294952
and still
> >>>>>no access. The correct permissions are on the security group, the
user I
> >>>>>added to the security group still cannot do anything with account
unlock or
> >>>>>password reset. Where can I see the effective permissions of the
user since
> >>>>>they are a memeber of this security group? The securty group is a
memeber of
> >>>>>the built-in Account operators as well. Is there default deny on
regular
> >>>>>users accounts that is blocking this? Any help in what this could be
would
> >>>>>be appreciated. Thanks
> >>>>>
> >>>>>"Laura E. Hunter (MVP)" wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>How to grant help desk personnel the specific right to unlock user
accounts:
> >>>>>>http://support.microsoft.com/?kbid=279723
> >>>>>>
> >>>>>>--
> >>>>>>Laura E. Hunter
> >>>>>>Microsoft MVP - Windows Server Networking
> >>>>>>All information provided "AS-IS", no warranties expressed or
implied.
> >>>>>>Replies to newsgroup only.
> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>What permissions are necessary for a user to be able to unlock an
account
> >>>>>>>or
> >>>>>>>reset a password. I have an MMC created for user to reset
passwords (will
> >>>>>>>this fix an account lockout?) in an OU. I have the user added to a
admin
> >>>>>>>group I created for the OU. I continued to get access denised when
try to
> >>>>>>>reset password. What permissions are necessary and where to access
them
> >>>>>>>as
> >>>>>>>the enterprose admin. Does password reset unlock an account or is
that
> >>>>>>>seperate permissions? Thanks
> >>>>>>
> >>>>>>
> >>>>>>
Anonymous
February 25, 2005 7:33:13 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Cary, however it isn't so much knowing how everything works as it is
having an understanding of the basics and working through logically how the rest
of it fits together. Often there are problems that I get brought in to look at
and I simple fall back to the basics and try to figure out what basic item isn't
configured properly or is screwing up.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Cary Shultz [A.D. MVP] wrote:
> Brian,
>
> Please do not misunderstand Joe's comments. I am not going to attempt to
> put words in Joe's mouth - he is a big boy and can take care of that
> himself.
>
> I think what Joe was trying to get across to you is that there were several
> very basic things of which you were not aware. This would usually not be a
> good thing. It does not have to be a bad thing, but it is not a good thing.
> Generally speaking. There are a lot of 'IT Departments' full of people who
> know how to format a Word Document or create a pivot table in Excel. This
> does not make them Systems Administrators. This makes them Help Desk.
> Usually because of their 'advanced computer skills' they are placed in the
> IT Department. But they should really be in the Help Desk department.
> Granted, if you work for a small company then it is often the case that the
> IT Department is also the Help Desk Department.
>
> Reading books is a good thing, but usually - as you are finding out - leaves
> several things uncovered. You are correct in that most of the books are
> terribly lacking in detailed information. They cover the top layer very
> well. And that is important. But they usually do not go much deeper than
> that. You might want to look at 'Inside Active Directory' for a really
> really really good book on WIN2000 Active Directory.
>
> And working in a test lab is very important. When I started out with Active
> Directory this is what I did. Set up a test lab with two domain controllers
> and two workstations. Do not even worry about Exchange for the moment. read
> the posts in this newsgroup as well as in the group policy news group and
> play with things in your test environment and then intentionally break
> things so that you get a feel for 'this happens if that happened' type
> stuff.
>
> Also, install the Support Tools from the Service Pack CD-Media. Become
> familiar with dcdiag, netdiag, repadmin, replmon, netdom and nltest. There
> are several others of great help but start with these. You might also want
> to go to Joe's web site and look at his tools ( adfind and oldcmp are two
> very useful tools ).
>
> Joe is one of the best in the world. Yep! In the world. Not in this state
> or in this country or on this continent. In the world. When you deal with
> the environments that he has you have to know everything inside and out.
> Just like you know how to ride a bike and how to put food in your mouth when
> it is dark ( without stabbing yourself in the lip or cheek )!
>
> I really do not think that Joe was trying to disparage you. I have often
> told people that they were a bit inexperienced and might be better off not
> being the one to do what needed to be done.
>
> As long as everything is working just fine anyone can be a Sys Admin. But
> what happens when things do not?
>
>
Anonymous
February 26, 2005 1:00:37 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If in depth understanding is what you're after, then there's also the
Resource Kit ;-). It's fatter than most, and quite dry in parts, but
complemented with Inside... by Kouti and Seitsonen and you've got it all...

Herb, Joe, Cary,

Have any of you looked at AD Forestry?

http://www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref...


I've heard that it's good, and was hoping one of the guys in work would buy
it so I could have a nose without needing to charge it to my card ;-)


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Herb Martin" <news@LearnQuick.com> wrote in message
news:eHiIPc4GFHA.3272@TK2MSFTNGP10.phx.gbl...
Add Gary Olsen's (New Riders I believe)
"Active Directory Design and Deployment"
to the list.

It may actually be the best of the bunch but it
is very old now so it is mostly about those
GOOD FUNDAMENTALS that one needs
and which Joe referenced.



--
Herb Martin


"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:o RybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl...
> Brian, take a look at the following
>
> 1. O'Reilly Active Directory, 2e
> 2. O'Reilly Active Directory Cookbook
> 3. Addison Wesley Inside Active Directory: A System Administrator's Guide,
2e.
>
>
> These are some of the best books out there right now for AD Admin level
stuff.
> The first book is a great primer for learning core concepts. The second
book has
> a ton of scripts and GUI solutions to various problems. The third book is
a
> great in depth book on AD and will teach you probably more than you ever
want to
> know.
>
> I haven't read #1 though I read the first edition of it. I am sure Robbie
did a
> great treatment of it though in the second edition and doubt it is worse
than it
> was when I read it. I was a technical reviewer for both #2 and #3 and I
know the
> content is great in both of them.
>
> The big thing about AD is that it isn't NT. In that, I mean that you
really
> didn't need to know too much to run an NT domain, anyone could fire it up
and it
> would generally work. However it was extremely limited. AD came along and
> removed the limitations and gave a lot more flexibility but also added a
bunch
> of complexity. In order to do it well, you have to spend a good amount of
time
> working on it. I have spent the last 5 years working on it, I didn't get
to
> where I am from training and having large IT departments. I simply worked
with
> it. In fact, large companies aren't all that great about sending people to
> training and in the three positions I have held running domains I have
been one
> of 3-5 people responsible for domains holding anywhere from 2000-250,000
users
> and from 10-400 domain controllers. Not large groups of admins by any
stretch of
> the word. It actually forces you to be really good.
>
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian wrote:
> > You know Joe I have many Windows books and have read them but
unfortunely
> > they don't go into enough detail about how to correct this issue. I
wish I
> > worked for a large company that had training and many IT people but
> > unfortunely that's not the case. I'm the entire IT department, so it's
jack
> > of all trades master of none. I will look at your answer do some more
> > research after I get back setting up a new domain in remote office and
see
> > what I can do. In the mean time you keep being a n expert for us
"green"
> > working people. Thanks
> >
> > "Joe Richards [MVP]" wrote:
> >
> >
> >>This stuff works as designed, trust me, I have built an enterprise class
> >>directory (>250,000 users) and worked on several other enterprise class
> >>directories (>100k).
> >>
> >>dsacls is a tool in the support tools. If you have them installed you
should
> >>simply be able to type
> >>
> >>dsacls DN_OF_OBJECT
> >>
> >>and it will show you the actual ACL on an AD Object.
> >>
> >>
> >>If you want to quickly check if the adminSDHolder functionality is
causing
> >>issues, go grab adfind from my website and run the following command
> >>
> >>adfind -default -f samaccountname=userid admincount
> >>
> >>If there is a value returned and it isn't 0, that means you are being
impacted
> >>by adminSDHolder and you should search google for that term.
> >>
> >>Overall you appear to be a very "green" admin and you should buy one or
more
> >>books and learn this stuff before you do too much more. You need to get
a handle
> >>on the basic concepts and thoughts before you hurt yourself by giving
too many
> >>rights in the forest to others.
> >>
> >> joe
> >>
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Brian wrote:
> >>
> >>>I don't know what an enhanced accouint is. I'm just trying to give a
user
> >>>account unlock permission for an OU by making them a member of a
security
> >>>group in that OU with permission to unloack accounts. How to do the
rest of
> >>>what your writing about I have no idea how to accomplish. How do I
verify
> >>>delgation? How do I get DSACLS to run on a specific account? I guess
it is
> >>>not possbile to make a sub-administrator, nothing I have done or been
told
> >>>has made any difference. The permissions in the security do not seem
to
> >>>apply to it's members. Every one will have to full admins unless I can
make
> >>>this Windows permissions work as desired.
> >>>
> >>>"Joe Richards [MVP]" wrote:
> >>>
> >>>
> >>>
> >>>>By any chance is the account they are trying to work on another
enhanced user
> >>>>account, say an account op or something? If so, look into
adminSDHolder posts.
> >>>>If not, look at the ACL with DSACLS and verify the delegation occurred
as
> >>>>expected and if it is correct (should be WP on lockoutTime) then have
the admin
> >>>>log off and log on and try again.
> >>>>
> >>>> joe
> >>>>
> >>>>--
> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
> >>>>www.joeware.net
> >>>>
> >>>>
> >>>>Brian wrote:
> >>>>
> >>>>
> >>>>>Thanks I applied both methods on article 279723 plus article 294952
and still
> >>>>>no access. The correct permissions are on the security group, the
user I
> >>>>>added to the security group still cannot do anything with account
unlock or
> >>>>>password reset. Where can I see the effective permissions of the
user since
> >>>>>they are a memeber of this security group? The securty group is a
memeber of
> >>>>>the built-in Account operators as well. Is there default deny on
regular
> >>>>>users accounts that is blocking this? Any help in what this could be
would
> >>>>>be appreciated. Thanks
> >>>>>
> >>>>>"Laura E. Hunter (MVP)" wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>How to grant help desk personnel the specific right to unlock user
accounts:
> >>>>>>http://support.microsoft.com/?kbid=279723
> >>>>>>
> >>>>>>--
> >>>>>>Laura E. Hunter
> >>>>>>Microsoft MVP - Windows Server Networking
> >>>>>>All information provided "AS-IS", no warranties expressed or
implied.
> >>>>>>Replies to newsgroup only.
> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>What permissions are necessary for a user to be able to unlock an
account
> >>>>>>>or
> >>>>>>>reset a password. I have an MMC created for user to reset
passwords (will
> >>>>>>>this fix an account lockout?) in an OU. I have the user added to a
admin
> >>>>>>>group I created for the OU. I continued to get access denised when
try to
> >>>>>>>reset password. What permissions are necessary and where to access
them
> >>>>>>>as
> >>>>>>>the enterprose admin. Does password reset unlock an account or is
that
> >>>>>>>seperate permissions? Thanks
> >>>>>>
> >>>>>>
> >>>>>>
Anonymous
February 26, 2005 8:48:11 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have that book, it's ok - no more no less, but that's just my 2 cents.
Kouti and Seitsonen's book is much better...

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:ufGyRm%23GFHA.3484@TK2MSFTNGP12.phx.gbl...
> If in depth understanding is what you're after, then there's also the
> Resource Kit ;-). It's fatter than most, and quite dry in parts, but
> complemented with Inside... by Kouti and Seitsonen and you've got it
> all...
>
> Herb, Joe, Cary,
>
> Have any of you looked at AD Forestry?
>
> http://www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref...
>
>
> I've heard that it's good, and was hoping one of the guys in work would
> buy
> it so I could have a nose without needing to charge it to my card ;-)
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eHiIPc4GFHA.3272@TK2MSFTNGP10.phx.gbl...
> Add Gary Olsen's (New Riders I believe)
> "Active Directory Design and Deployment"
> to the list.
>
> It may actually be the best of the bunch but it
> is very old now so it is mostly about those
> GOOD FUNDAMENTALS that one needs
> and which Joe referenced.
>
>
>
> --
> Herb Martin
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:o RybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl...
>> Brian, take a look at the following
>>
>> 1. O'Reilly Active Directory, 2e
>> 2. O'Reilly Active Directory Cookbook
>> 3. Addison Wesley Inside Active Directory: A System Administrator's
>> Guide,
> 2e.
>>
>>
>> These are some of the best books out there right now for AD Admin level
> stuff.
>> The first book is a great primer for learning core concepts. The second
> book has
>> a ton of scripts and GUI solutions to various problems. The third book is
> a
>> great in depth book on AD and will teach you probably more than you ever
> want to
>> know.
>>
>> I haven't read #1 though I read the first edition of it. I am sure Robbie
> did a
>> great treatment of it though in the second edition and doubt it is worse
> than it
>> was when I read it. I was a technical reviewer for both #2 and #3 and I
> know the
>> content is great in both of them.
>>
>> The big thing about AD is that it isn't NT. In that, I mean that you
> really
>> didn't need to know too much to run an NT domain, anyone could fire it up
> and it
>> would generally work. However it was extremely limited. AD came along and
>> removed the limitations and gave a lot more flexibility but also added a
> bunch
>> of complexity. In order to do it well, you have to spend a good amount of
> time
>> working on it. I have spent the last 5 years working on it, I didn't get
> to
>> where I am from training and having large IT departments. I simply worked
> with
>> it. In fact, large companies aren't all that great about sending people
>> to
>> training and in the three positions I have held running domains I have
> been one
>> of 3-5 people responsible for domains holding anywhere from 2000-250,000
> users
>> and from 10-400 domain controllers. Not large groups of admins by any
> stretch of
>> the word. It actually forces you to be really good.
>>
>>
>> joe
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Brian wrote:
>> > You know Joe I have many Windows books and have read them but
> unfortunely
>> > they don't go into enough detail about how to correct this issue. I
> wish I
>> > worked for a large company that had training and many IT people but
>> > unfortunely that's not the case. I'm the entire IT department, so it's
> jack
>> > of all trades master of none. I will look at your answer do some more
>> > research after I get back setting up a new domain in remote office and
> see
>> > what I can do. In the mean time you keep being a n expert for us
> "green"
>> > working people. Thanks
>> >
>> > "Joe Richards [MVP]" wrote:
>> >
>> >
>> >>This stuff works as designed, trust me, I have built an enterprise
>> >>class
>> >>directory (>250,000 users) and worked on several other enterprise class
>> >>directories (>100k).
>> >>
>> >>dsacls is a tool in the support tools. If you have them installed you
> should
>> >>simply be able to type
>> >>
>> >>dsacls DN_OF_OBJECT
>> >>
>> >>and it will show you the actual ACL on an AD Object.
>> >>
>> >>
>> >>If you want to quickly check if the adminSDHolder functionality is
> causing
>> >>issues, go grab adfind from my website and run the following command
>> >>
>> >>adfind -default -f samaccountname=userid admincount
>> >>
>> >>If there is a value returned and it isn't 0, that means you are being
> impacted
>> >>by adminSDHolder and you should search google for that term.
>> >>
>> >>Overall you appear to be a very "green" admin and you should buy one or
> more
>> >>books and learn this stuff before you do too much more. You need to get
> a handle
>> >>on the basic concepts and thoughts before you hurt yourself by giving
> too many
>> >>rights in the forest to others.
>> >>
>> >> joe
>> >>
>> >>
>> >>--
>> >>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>www.joeware.net
>> >>
>> >>
>> >>Brian wrote:
>> >>
>> >>>I don't know what an enhanced accouint is. I'm just trying to give a
> user
>> >>>account unlock permission for an OU by making them a member of a
> security
>> >>>group in that OU with permission to unloack accounts. How to do the
> rest of
>> >>>what your writing about I have no idea how to accomplish. How do I
> verify
>> >>>delgation? How do I get DSACLS to run on a specific account? I guess
> it is
>> >>>not possbile to make a sub-administrator, nothing I have done or been
> told
>> >>>has made any difference. The permissions in the security do not seem
> to
>> >>>apply to it's members. Every one will have to full admins unless I
>> >>>can
> make
>> >>>this Windows permissions work as desired.
>> >>>
>> >>>"Joe Richards [MVP]" wrote:
>> >>>
>> >>>
>> >>>
>> >>>>By any chance is the account they are trying to work on another
> enhanced user
>> >>>>account, say an account op or something? If so, look into
> adminSDHolder posts.
>> >>>>If not, look at the ACL with DSACLS and verify the delegation
>> >>>>occurred
> as
>> >>>>expected and if it is correct (should be WP on lockoutTime) then have
> the admin
>> >>>>log off and log on and try again.
>> >>>>
>> >>>> joe
>> >>>>
>> >>>>--
>> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>>>www.joeware.net
>> >>>>
>> >>>>
>> >>>>Brian wrote:
>> >>>>
>> >>>>
>> >>>>>Thanks I applied both methods on article 279723 plus article 294952
> and still
>> >>>>>no access. The correct permissions are on the security group, the
> user I
>> >>>>>added to the security group still cannot do anything with account
> unlock or
>> >>>>>password reset. Where can I see the effective permissions of the
> user since
>> >>>>>they are a memeber of this security group? The securty group is a
> memeber of
>> >>>>>the built-in Account operators as well. Is there default deny on
> regular
>> >>>>>users accounts that is blocking this? Any help in what this could
>> >>>>>be
> would
>> >>>>>be appreciated. Thanks
>> >>>>>
>> >>>>>"Laura E. Hunter (MVP)" wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>How to grant help desk personnel the specific right to unlock user
> accounts:
>> >>>>>>http://support.microsoft.com/?kbid=279723
>> >>>>>>
>> >>>>>>--
>> >>>>>>Laura E. Hunter
>> >>>>>>Microsoft MVP - Windows Server Networking
>> >>>>>>All information provided "AS-IS", no warranties expressed or
> implied.
>> >>>>>>Replies to newsgroup only.
>> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>>What permissions are necessary for a user to be able to unlock an
> account
>> >>>>>>>or
>> >>>>>>>reset a password. I have an MMC created for user to reset
> passwords (will
>> >>>>>>>this fix an account lockout?) in an OU. I have the user added to
>> >>>>>>>a
> admin
>> >>>>>>>group I created for the OU. I continued to get access denised
>> >>>>>>>when
> try to
>> >>>>>>>reset password. What permissions are necessary and where to
>> >>>>>>>access
> them
>> >>>>>>>as
>> >>>>>>>the enterprose admin. Does password reset unlock an account or is
> that
>> >>>>>>>seperate permissions? Thanks
>> >>>>>>
>> >>>>>>
>> >>>>>>
>
>
>
Anonymous
April 15, 2005 6:13:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Check out Microsoft article ID :294952
How to delegate the unlock right.

"Brian" wrote:

> What permissions are necessary for a user to be able to unlock an account or
> reset a password. I have an MMC created for user to reset passwords (will
> this fix an account lockout?) in an OU. I have the user added to a admin
> group I created for the OU. I continued to get access denised when try to
> reset password. What permissions are necessary and where to access them as
> the enterprose admin. Does password reset unlock an account or is that
> seperate permissions? Thanks
!