Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.sbs (
More info?)
Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.
"Herb Martin" <news@LearnQuick.com> wrote in message
news:uQgYKrWQFHA.2736@TK2MSFTNGP09.phx.gbl...
> "neo [mvp outlook]" <neo@online.mvps.org> wrote in message
> news:uBwXyPWQFHA.1528@TK2MSFTNGP09.phx.gbl...
>> You can add these 2 to your delegwiz.inf file. (Don't forget to add the
>> template numbers to the "templates=" line in the inf.) Once you modify
> the
>> delegwiz.inf file, you can use the delegate control wizard in ADUC to
>> delegate out the rights to a security group.
>
> I am going to Google and research this but do you
> happen to know the best guide for the delegwiz.inf
> file?
>
>> ;----------------------------------------------------------
>> [template100]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Reset user password"
>>
>> ObjectTypes = user
>>
>> [template100.user]
>> CONTROLRIGHT= "Reset Password"
>> pwdLastSet=RP,WP
>> lockoutTime=WP
>> ;----------------------------------------------------------
>>
>> ;----------------------------------------------------------
>> [template110]
>> AppliesToClasses=organizationalUnit
>>
>> Description = "Create user accounts"
>>
>> ObjectTypes = SCOPE, user
>>
>> [template110.SCOPE]
>> user=CC
>>
>> [template110.user]
>> CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
>> ;----------------------------------------------------------
>>
>> "MikeD <====" <miked@msn.com> wrote in message
>> news:uybvVpVQFHA.1236@TK2MSFTNGP14.phx.gbl...
>> > Windows 2003 SP1 - 100 users.
>> >
>> > What rights and permissions and where (in AD) to allow a group or user
> the
>> > permission to...
>> >
>> > (1) reset password accounts
>> > (2) unlock accounts
>> > (3) even create (not as significant though)
>> >
>> >
>> > Thank you.
>> >
>>
>>
>
>