Sign in with
Sign up | Sign in
Your question

Unable to unlock peer group members ' accounts

Last response: in Windows 2000/NT
Share
February 4, 2005 1:50:28 AM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I have 2 global security groups , group A can manage computer accounts and
group B can manage User accounts. But after I put group A as a member of
group B , everything thing works ( ie, group A people can manage computer
and user accounts ) except that they are unable to reset peer group A
members' user acount.
I have tried the MS article to select the read/ write lockout time and
delegate again. Still the same.

Any idea ? Thanks !

Jason
Anonymous
a b 8 Security
February 4, 2005 3:21:04 AM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Were they able to manage the user's accounts before and for the same exact
user? If a user is a member of privileged groups such as administrators,
account operators, server operators, etc a regular user who has been
delegated permissions to manage user accounts for a OU/container can not
manage those user accounts. When you examine the security properties of
users in those privileged groups you will see that the "delegated" group
does not have permissions to the user and that user object is configured to
not inherit security settings from parent in advanced page of security
properties. --- Steve


"Jason" <jasons@hotmail.com> wrote in message
news:o 6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
>I have 2 global security groups , group A can manage computer accounts and
> group B can manage User accounts. But after I put group A as a member of
> group B , everything thing works ( ie, group A people can manage computer
> and user accounts ) except that they are unable to reset peer group A
> members' user acount.
> I have tried the MS article to select the read/ write lockout time and
> delegate again. Still the same.
>
> Any idea ? Thanks !
>
> Jason
>
>
February 4, 2005 11:14:02 AM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Steven,
Memebers of both groups ( A&B ) are not part of any previledged groups or
build-in groups. ( I have verified this by checking these two groups'
"member-of " tab.).They are able to unlock peer user accounts before the
change.

Jason

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
> Were they able to manage the user's accounts before and for the same exact
> user? If a user is a member of privileged groups such as administrators,
> account operators, server operators, etc a regular user who has been
> delegated permissions to manage user accounts for a OU/container can not
> manage those user accounts. When you examine the security properties of
> users in those privileged groups you will see that the "delegated" group
> does not have permissions to the user and that user object is configured
> to not inherit security settings from parent in advanced page of security
> properties. --- Steve
>
>
> "Jason" <jasons@hotmail.com> wrote in message
> news:o 6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
>>I have 2 global security groups , group A can manage computer accounts and
>> group B can manage User accounts. But after I put group A as a member of
>> group B , everything thing works ( ie, group A people can manage computer
>> and user accounts ) except that they are unable to reset peer group A
>> members' user acount.
>> I have tried the MS article to select the read/ write lockout time and
>> delegate again. Still the same.
>>
>> Any idea ? Thanks !
>>
>> Jason
>>
>>
>
>
Anonymous
a b 8 Security
February 4, 2005 8:02:44 PM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Hmm. The privileged group membership was always what caused this to happen
in my experience. I can't think of a reason why that would happen offhand if
they were not. Instead of group nesting I would try to explicitly delegate
Group A permissions to manage user account to see if that works for you.---
Steve


"Jason" <jasons@hotmail.com> wrote in message
news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
> Steven,
> Memebers of both groups ( A&B ) are not part of any previledged groups or
> build-in groups. ( I have verified this by checking these two groups'
> "member-of " tab.).They are able to unlock peer user accounts before the
> change.
>
> Jason
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
>> Were they able to manage the user's accounts before and for the same
>> exact user? If a user is a member of privileged groups such as
>> administrators, account operators, server operators, etc a regular user
>> who has been delegated permissions to manage user accounts for a
>> OU/container can not manage those user accounts. When you examine the
>> security properties of users in those privileged groups you will see that
>> the "delegated" group does not have permissions to the user and that user
>> object is configured to not inherit security settings from parent in
>> advanced page of security properties. --- Steve
>>
>>
>> "Jason" <jasons@hotmail.com> wrote in message
>> news:o 6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
>>>I have 2 global security groups , group A can manage computer accounts
>>>and
>>> group B can manage User accounts. But after I put group A as a member of
>>> group B , everything thing works ( ie, group A people can manage
>>> computer
>>> and user accounts ) except that they are unable to reset peer group A
>>> members' user acount.
>>> I have tried the MS article to select the read/ write lockout time and
>>> delegate again. Still the same.
>>>
>>> Any idea ? Thanks !
>>>
>>> Jason
>>>
>>>
>>
>>
>
>
Anonymous
a b 8 Security
February 7, 2005 2:47:22 AM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Examining the memberships of those groups will not tell you
whether the accounts that are members in those groups are or
are not members of privileged groups. It will only tell you
whether they are or are not so due to membership in the two
groups you examined.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jason" <jasons@hotmail.com> wrote in message
news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
> Steven,
> Memebers of both groups ( A&B ) are not part of any previledged groups or
> build-in groups. ( I have verified this by checking these two groups'
> "member-of " tab.).They are able to unlock peer user accounts before the
> change.
>
> Jason
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
> > Were they able to manage the user's accounts before and for the same
exact
> > user? If a user is a member of privileged groups such as administrators,
> > account operators, server operators, etc a regular user who has been
> > delegated permissions to manage user accounts for a OU/container can not
> > manage those user accounts. When you examine the security properties of
> > users in those privileged groups you will see that the "delegated" group
> > does not have permissions to the user and that user object is configured
> > to not inherit security settings from parent in advanced page of
security
> > properties. --- Steve
> >
> >
> > "Jason" <jasons@hotmail.com> wrote in message
> > news:o 6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
> >>I have 2 global security groups , group A can manage computer accounts
and
> >> group B can manage User accounts. But after I put group A as a member
of
> >> group B , everything thing works ( ie, group A people can manage
computer
> >> and user accounts ) except that they are unable to reset peer group A
> >> members' user acount.
> >> I have tried the MS article to select the read/ write lockout time and
> >> delegate again. Still the same.
> >>
> >> Any idea ? Thanks !
> >>
> >> Jason
> >>
> >>
> >
> >
>
>
Anonymous
a b 8 Security
February 7, 2005 5:23:18 PM

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Roger makes an excellent point. Examine the "member of" tab of the user for
which the account can not be managed and membership of each privileged
group. That would be a start since it could become more complex depending on
group nesting such as if there were groups that are members of privileged
groups. The dsget and dsquery command line tools can also be used to
enumerate a users membership to all groups, even based on nesting. Those
tools are not available by default in Windows 2000 unless you have a Windows
2003 domain controller or have adminpak for Windows 2003 installed on an XP
Pro domain member. I have also seen where if a user "was" a member of a
priviliged group at one time and then removed from it the inhertitance of
permissions for that user account from the parent is still disabled though
if you enable it you should them be able to managed that account via
user/groups delegated that permission to it. --- Steve


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uRKBwBODFHA.520@TK2MSFTNGP09.phx.gbl...
> Examining the memberships of those groups will not tell you
> whether the accounts that are members in those groups are or
> are not members of privileged groups. It will only tell you
> whether they are or are not so due to membership in the two
> groups you examined.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Jason" <jasons@hotmail.com> wrote in message
> news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
>> Steven,
>> Memebers of both groups ( A&B ) are not part of any previledged groups or
>> build-in groups. ( I have verified this by checking these two groups'
>> "member-of " tab.).They are able to unlock peer user accounts before the
>> change.
>>
>> Jason
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
>> > Were they able to manage the user's accounts before and for the same
> exact
>> > user? If a user is a member of privileged groups such as
>> > administrators,
>> > account operators, server operators, etc a regular user who has been
>> > delegated permissions to manage user accounts for a OU/container can
>> > not
>> > manage those user accounts. When you examine the security properties of
>> > users in those privileged groups you will see that the "delegated"
>> > group
>> > does not have permissions to the user and that user object is
>> > configured
>> > to not inherit security settings from parent in advanced page of
> security
>> > properties. --- Steve
>> >
>> >
>> > "Jason" <jasons@hotmail.com> wrote in message
>> > news:o 6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
>> >>I have 2 global security groups , group A can manage computer accounts
> and
>> >> group B can manage User accounts. But after I put group A as a member
> of
>> >> group B , everything thing works ( ie, group A people can manage
> computer
>> >> and user accounts ) except that they are unable to reset peer group A
>> >> members' user acount.
>> >> I have tried the MS article to select the read/ write lockout time and
>> >> delegate again. Still the same.
>> >>
>> >> Any idea ? Thanks !
>> >>
>> >> Jason
>> >>
>> >>
>> >
>> >
>>
>>
>
>
!