Delegation Control

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi:

First, let me explain what I'm trying to do. I want to setup a particular
group with the right to be able to reset user passwords and enable user
accounts. Now, currently, I'm attempting to do this with the Delegation
Control Wizard. The reset password option is working, but I'm unable to get
the enable account portion of this to work. I've even printed out a
Microsoft KB article that I thought was related to this problem (KB Article
294952). I've done all the steps that the article says to do. I've modified
the DSSEC.DAT file accordingly. I've went in to the Delegation Control
Wizard and checked on the ReadLockOutTime and WriteLockOutTime boxes. Still
not able to enable any user accounts. Is there something else I need to do
that I'm overlooking or is this just not possible for users other than those
that have Admin priviledges?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

lockoutTime is for locked out accounts, not disabled accounts. Disabling is
handled through a single bit flag in the useraccountcontrol attribute. Note that
allowing access to this allows more than just enabling/disabling accounts, they
can also set the password to never expire, etc.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Jerrald Noland wrote:
> Hi:
>
> First, let me explain what I'm trying to do. I want to setup a particular
> group with the right to be able to reset user passwords and enable user
> accounts. Now, currently, I'm attempting to do this with the Delegation
> Control Wizard. The reset password option is working, but I'm unable to get
> the enable account portion of this to work. I've even printed out a
> Microsoft KB article that I thought was related to this problem (KB Article
> 294952). I've done all the steps that the article says to do. I've modified
> the DSSEC.DAT file accordingly. I've went in to the Delegation Control
> Wizard and checked on the ReadLockOutTime and WriteLockOutTime boxes. Still
> not able to enable any user accounts. Is there something else I need to do
> that I'm overlooking or is this just not possible for users other than those
> that have Admin priviledges?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks...that was what I needed. Appreciate the help

"Joe Richards [MVP]" wrote:

> lockoutTime is for locked out accounts, not disabled accounts. Disabling is
> handled through a single bit flag in the useraccountcontrol attribute. Note that
> allowing access to this allows more than just enabling/disabling accounts, they
> can also set the password to never expire, etc.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Jerrald Noland wrote:
> > Hi:
> >
> > First, let me explain what I'm trying to do. I want to setup a particular
> > group with the right to be able to reset user passwords and enable user
> > accounts. Now, currently, I'm attempting to do this with the Delegation
> > Control Wizard. The reset password option is working, but I'm unable to get
> > the enable account portion of this to work. I've even printed out a
> > Microsoft KB article that I thought was related to this problem (KB Article
> > 294952). I've done all the steps that the article says to do. I've modified
> > the DSSEC.DAT file accordingly. I've went in to the Delegation Control
> > Wizard and checked on the ReadLockOutTime and WriteLockOutTime boxes. Still
> > not able to enable any user accounts. Is there something else I need to do
> > that I'm overlooking or is this just not possible for users other than those
> > that have Admin priviledges?
>