Password Reset and Unlock by Help Desk

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

"MikeD <====" <miked@msn.com> wrote in message
news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
> Windows 2003 SP1 - 100 users.
>
> What rights and permissions and where (in AD) to allow a group or user the
> permission to...
>
> (1) reset password accounts
> (2) unlock accounts
> (3) even create (not as significant though)
>
>
> Thank you.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:uBwXyPWQFHA.1528@TK2MSFTNGP09.phx.gbl...
> You can add these 2 to your delegwiz.inf file. (Don't forget to add the
> template numbers to the "templates=" line in the inf.) Once you modify
the
> delegwiz.inf file, you can use the delegate control wizard in ADUC to
> delegate out the rights to a security group.

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?

> ;----------------------------------------------------------
> [template100]
> AppliesToClasses=organizationalUnit
>
> Description = "Reset user password"
>
> ObjectTypes = user
>
> [template100.user]
> CONTROLRIGHT= "Reset Password"
> pwdLastSet=RP,WP
> lockoutTime=WP
> ;----------------------------------------------------------
>
> ;----------------------------------------------------------
> [template110]
> AppliesToClasses=organizationalUnit
>
> Description = "Create user accounts"
>
> ObjectTypes = SCOPE, user
>
> [template110.SCOPE]
> user=CC
>
> [template110.user]
> CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
> ;----------------------------------------------------------
>
> "MikeD <====" <miked@msn.com> wrote in message
> news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
> > Windows 2003 SP1 - 100 users.
> >
> > What rights and permissions and where (in AD) to allow a group or user
the
> > permission to...
> >
> > (1) reset password accounts
> > (2) unlock accounts
> > (3) even create (not as significant though)
> >
> >
> > Thank you.
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Knowing my luck, OE will wrap the links, but I lean quite heavily on the
appendices document.

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

/neo


"Herb Martin" <news@LearnQuick.com> wrote in message
news:uQgYKrWQFHA.2736@TK2MSFTNGP09.phx.gbl...
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:uBwXyPWQFHA.1528@TK2MSFTNGP09.phx.gbl...
>> You can add these 2 to your delegwiz.inf file. (Don't forget to add the
>> template numbers to the "templates=" line in the inf.) Once you modify
> the
>> delegwiz.inf file, you can use the delegate control wizard in ADUC to
>> delegate out the rights to a security group.
>
> I am going to Google and research this but do you
> happen to know the best guide for the delegwiz.inf
> file?
>
>> ;----------------------------------------------------------
>> [template100]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Reset user password"
>>
>> ObjectTypes = user
>>
>> [template100.user]
>> CONTROLRIGHT= "Reset Password"
>> pwdLastSet=RP,WP
>> lockoutTime=WP
>> ;----------------------------------------------------------
>>
>> ;----------------------------------------------------------
>> [template110]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Create user accounts"
>>
>> ObjectTypes = SCOPE, user
>>
>> [template110.SCOPE]
>> user=CC
>>
>> [template110.user]
>> CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
>> ;----------------------------------------------------------
>>
>> "MikeD <====" <miked@msn.com> wrote in message
>> news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
>> > Windows 2003 SP1 - 100 users.
>> >
>> > What rights and permissions and where (in AD) to allow a group or user
> the
>> > permission to...
>> >
>> > (1) reset password accounts
>> > (2) unlock accounts
>> > (3) even create (not as significant though)
>> >
>> >
>> > Thank you.
>> >
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uQgYKrWQFHA.2736@TK2MSFTNGP09.phx.gbl...
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:uBwXyPWQFHA.1528@TK2MSFTNGP09.phx.gbl...
>> You can add these 2 to your delegwiz.inf file. (Don't forget to add the
>> template numbers to the "templates=" line in the inf.) Once you modify
> the
>> delegwiz.inf file, you can use the delegate control wizard in ADUC to
>> delegate out the rights to a security group.
>
> I am going to Google and research this but do you
> happen to know the best guide for the delegwiz.inf
> file?
>
>> ;----------------------------------------------------------
>> [template100]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Reset user password"
>>
>> ObjectTypes = user
>>
>> [template100.user]
>> CONTROLRIGHT= "Reset Password"
>> pwdLastSet=RP,WP
>> lockoutTime=WP
>> ;----------------------------------------------------------
>>
>> ;----------------------------------------------------------
>> [template110]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Create user accounts"
>>
>> ObjectTypes = SCOPE, user
>>
>> [template110.SCOPE]
>> user=CC
>>
>> [template110.user]
>> CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
>> ;----------------------------------------------------------
>>
>> "MikeD <====" <miked@msn.com> wrote in message
>> news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
>> > Windows 2003 SP1 - 100 users.
>> >
>> > What rights and permissions and where (in AD) to allow a group or user
> the
>> > permission to...
>> >
>> > (1) reset password accounts
>> > (2) unlock accounts
>> > (3) even create (not as significant though)
>> >
>> >
>> > Thank you.
>> >
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Wow, where is the good source of info on this Neo? What is your main source
for the available options and how to modify whitepaper?



"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:uBwXyPWQFHA.1528@TK2MSFTNGP09.phx.gbl...
> You can add these 2 to your delegwiz.inf file. (Don't forget to add the
> template numbers to the "templates=" line in the inf.) Once you modify
> the delegwiz.inf file, you can use the delegate control wizard in ADUC to
> delegate out the rights to a security group.
>
> ;----------------------------------------------------------
> [template100]
> AppliesToClasses=organizationalUnit
>
> Description = "Reset user password"
>
> ObjectTypes = user
>
> [template100.user]
> CONTROLRIGHT= "Reset Password"
> pwdLastSet=RP,WP
> lockoutTime=WP
> ;----------------------------------------------------------
>
> ;----------------------------------------------------------
> [template110]
> AppliesToClasses=organizationalUnit
>
> Description = "Create user accounts"
>
> ObjectTypes = SCOPE, user
>
> [template110.SCOPE]
> user=CC
>
> [template110.user]
> CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
> ;----------------------------------------------------------
>
> "MikeD <====" <miked@msn.com> wrote in message
> news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
>> Windows 2003 SP1 - 100 users.
>>
>> What rights and permissions and where (in AD) to allow a group or user
>> the permission to...
>>
>> (1) reset password accounts
>> (2) unlock accounts
>> (3) even create (not as significant though)
>>
>>
>> Thank you.
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Herb,

I believe here.

Appendices:
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

MikeD wrote:

> Windows 2003 SP1 - 100 users.
>
> What rights and permissions and where (in AD) to allow a group or user
the
> permission to...
>
> (1) reset password accounts
> (2) unlock accounts
> (3) even create (not as significant though)
>
>
> Thank you.

If Neo's options (which look really cool, btw) are too much for you (or
you need a little more than just the 3 you mentioned), there is a
predefined group called "Account Operators" that has those privileges.
It's there so that most user account operations can be quickly handed off
to a separate person, without having to give them full administrative
privileges.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:e8b6oAXQFHA.1528@TK2MSFTNGP09.phx.gbl...
> Silly me... the two links I provided do *NOT* take Exchange 200x into
> consideration. So the documents will not cover the ldap properties that
> Exchange adds when it extends the schema. However it is possible to
> delegate everything with some additional effort w/out giving out the keys
to
> the kingdom so to speak.

Why was the 'silly' -- It doesn't seem to be your fault?

Also, the second document isn't available (right now)
-- and this is NOT due to your link, the summary page
appears but there is a web site database error on the
actual document download.

Could (one of you) send me the appendix?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

because i'm typing the response to a question in the sbs group and well, sbs
is the do all collection of dc/gc/dns/exchange/.etc.

sure... want me to use the "news" address or did you have something else in
mind?

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uodL9MdQFHA.3336@TK2MSFTNGP09.phx.gbl...
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:e8b6oAXQFHA.1528@TK2MSFTNGP09.phx.gbl...
>> Silly me... the two links I provided do *NOT* take Exchange 200x into
>> consideration. So the documents will not cover the ldap properties that
>> Exchange adds when it extends the schema. However it is possible to
>> delegate everything with some additional effort w/out giving out the keys
> to
>> the kingdom so to speak.
>
> Why was the 'silly' -- It doesn't seem to be your fault?
>
> Also, the second document isn't available (right now)
> -- and this is NOT due to your link, the summary page
> appears but there is a web site database error on the
> actual document download.
>
> Could (one of you) send me the appendix?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:#vCluPkQFHA.3296@TK2MSFTNGP15.phx.gbl...
> because i'm typing the response to a question in the sbs group and well,
sbs
> is the do all collection of dc/gc/dns/exchange/.etc.
>
> sure... want me to use the "news" address or did you have something else
in
> mind?

News is fine -- But I forgot to mentoin that .DOCs are blocked.

Please rename to anything like ._doc or zip it.

Thanks so much.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

on its way to you. (zipped it and it was just under 500KB)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23m%23SR2pQFHA.3076@tk2msftngp13.phx.gbl...
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:#vCluPkQFHA.3296@TK2MSFTNGP15.phx.gbl...
>> because i'm typing the response to a question in the sbs group and well,
> sbs
>> is the do all collection of dc/gc/dns/exchange/.etc.
>>
>> sure... want me to use the "news" address or did you have something else
> in
>> mind?
>
> News is fine -- But I forgot to mentoin that .DOCs are blocked.
>
> Please rename to anything like ._doc or zip it.
>
> Thanks so much.
>
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

I really appreciate the (extra) trouble.

Thank you.

--
Herb Martin


"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:OYKoGlwQFHA.3296@TK2MSFTNGP15.phx.gbl...
> on its way to you. (zipped it and it was just under 500KB)
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23m%23SR2pQFHA.3076@tk2msftngp13.phx.gbl...
> > "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> > news:#vCluPkQFHA.3296@TK2MSFTNGP15.phx.gbl...
> >> because i'm typing the response to a question in the sbs group and
well,
> > sbs
> >> is the do all collection of dc/gc/dns/exchange/.etc.
> >>
> >> sure... want me to use the "news" address or did you have something
else
> > in
> >> mind?
> >
> > News is fine -- But I forgot to mentoin that .DOCs are blocked.
> >
> > Please rename to anything like ._doc or zip it.
> >
> > Thanks so much.
> >
> >
> >
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (More info?)

Account Op in my opinion should not be used, it is far more powerful than
normally needed unless you have a very small shop and want to give out wide
ranging rights. Other than modifying groups and users acc ops have native rights
such as logging onto DCs and other items. If someone simply wants to delegate
password reset and unlock or even create, it is much smarter to do it in a far
more focused way with delegated permissions and can easily be done through
command line using dsacls.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Steve Foster [SBS MVP] wrote:
> MikeD wrote:
>
>> Windows 2003 SP1 - 100 users.
>>
>> What rights and permissions and where (in AD) to allow a group or user
>
> the
>
>> permission to...
>>
>> (1) reset password accounts
>> (2) unlock accounts
>> (3) even create (not as significant though)
>>
>>
>> Thank you.
>
>
> If Neo's options (which look really cool, btw) are too much for you (or
> you need a little more than just the 3 you mentioned), there is a
> predefined group called "Account Operators" that has those privileges.
> It's there so that most user account operations can be quickly handed
> off to a separate person, without having to give them full
> administrative privileges.
>