Unable to unlock peer group members ' accounts

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I have 2 global security groups , group A can manage computer accounts and
group B can manage User accounts. But after I put group A as a member of
group B , everything thing works ( ie, group A people can manage computer
and user accounts ) except that they are unable to reset peer group A
members' user acount.
I have tried the MS article to select the read/ write lockout time and
delegate again. Still the same.

Any idea ? Thanks !

Jason
5 answers Last reply
More about unable unlock peer group members accounts
  1. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Were they able to manage the user's accounts before and for the same exact
    user? If a user is a member of privileged groups such as administrators,
    account operators, server operators, etc a regular user who has been
    delegated permissions to manage user accounts for a OU/container can not
    manage those user accounts. When you examine the security properties of
    users in those privileged groups you will see that the "delegated" group
    does not have permissions to the user and that user object is configured to
    not inherit security settings from parent in advanced page of security
    properties. --- Steve


    "Jason" <jasons@hotmail.com> wrote in message
    news:O6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
    >I have 2 global security groups , group A can manage computer accounts and
    > group B can manage User accounts. But after I put group A as a member of
    > group B , everything thing works ( ie, group A people can manage computer
    > and user accounts ) except that they are unable to reset peer group A
    > members' user acount.
    > I have tried the MS article to select the read/ write lockout time and
    > delegate again. Still the same.
    >
    > Any idea ? Thanks !
    >
    > Jason
    >
    >
  2. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Steven,
    Memebers of both groups ( A&B ) are not part of any previledged groups or
    build-in groups. ( I have verified this by checking these two groups'
    "member-of " tab.).They are able to unlock peer user accounts before the
    change.

    Jason

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
    > Were they able to manage the user's accounts before and for the same exact
    > user? If a user is a member of privileged groups such as administrators,
    > account operators, server operators, etc a regular user who has been
    > delegated permissions to manage user accounts for a OU/container can not
    > manage those user accounts. When you examine the security properties of
    > users in those privileged groups you will see that the "delegated" group
    > does not have permissions to the user and that user object is configured
    > to not inherit security settings from parent in advanced page of security
    > properties. --- Steve
    >
    >
    > "Jason" <jasons@hotmail.com> wrote in message
    > news:O6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
    >>I have 2 global security groups , group A can manage computer accounts and
    >> group B can manage User accounts. But after I put group A as a member of
    >> group B , everything thing works ( ie, group A people can manage computer
    >> and user accounts ) except that they are unable to reset peer group A
    >> members' user acount.
    >> I have tried the MS article to select the read/ write lockout time and
    >> delegate again. Still the same.
    >>
    >> Any idea ? Thanks !
    >>
    >> Jason
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Hmm. The privileged group membership was always what caused this to happen
    in my experience. I can't think of a reason why that would happen offhand if
    they were not. Instead of group nesting I would try to explicitly delegate
    Group A permissions to manage user account to see if that works for you.---
    Steve


    "Jason" <jasons@hotmail.com> wrote in message
    news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
    > Steven,
    > Memebers of both groups ( A&B ) are not part of any previledged groups or
    > build-in groups. ( I have verified this by checking these two groups'
    > "member-of " tab.).They are able to unlock peer user accounts before the
    > change.
    >
    > Jason
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
    >> Were they able to manage the user's accounts before and for the same
    >> exact user? If a user is a member of privileged groups such as
    >> administrators, account operators, server operators, etc a regular user
    >> who has been delegated permissions to manage user accounts for a
    >> OU/container can not manage those user accounts. When you examine the
    >> security properties of users in those privileged groups you will see that
    >> the "delegated" group does not have permissions to the user and that user
    >> object is configured to not inherit security settings from parent in
    >> advanced page of security properties. --- Steve
    >>
    >>
    >> "Jason" <jasons@hotmail.com> wrote in message
    >> news:O6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
    >>>I have 2 global security groups , group A can manage computer accounts
    >>>and
    >>> group B can manage User accounts. But after I put group A as a member of
    >>> group B , everything thing works ( ie, group A people can manage
    >>> computer
    >>> and user accounts ) except that they are unable to reset peer group A
    >>> members' user acount.
    >>> I have tried the MS article to select the read/ write lockout time and
    >>> delegate again. Still the same.
    >>>
    >>> Any idea ? Thanks !
    >>>
    >>> Jason
    >>>
    >>>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Examining the memberships of those groups will not tell you
    whether the accounts that are members in those groups are or
    are not members of privileged groups. It will only tell you
    whether they are or are not so due to membership in the two
    groups you examined.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Jason" <jasons@hotmail.com> wrote in message
    news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
    > Steven,
    > Memebers of both groups ( A&B ) are not part of any previledged groups or
    > build-in groups. ( I have verified this by checking these two groups'
    > "member-of " tab.).They are able to unlock peer user accounts before the
    > change.
    >
    > Jason
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
    > > Were they able to manage the user's accounts before and for the same
    exact
    > > user? If a user is a member of privileged groups such as administrators,
    > > account operators, server operators, etc a regular user who has been
    > > delegated permissions to manage user accounts for a OU/container can not
    > > manage those user accounts. When you examine the security properties of
    > > users in those privileged groups you will see that the "delegated" group
    > > does not have permissions to the user and that user object is configured
    > > to not inherit security settings from parent in advanced page of
    security
    > > properties. --- Steve
    > >
    > >
    > > "Jason" <jasons@hotmail.com> wrote in message
    > > news:O6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
    > >>I have 2 global security groups , group A can manage computer accounts
    and
    > >> group B can manage User accounts. But after I put group A as a member
    of
    > >> group B , everything thing works ( ie, group A people can manage
    computer
    > >> and user accounts ) except that they are unable to reset peer group A
    > >> members' user acount.
    > >> I have tried the MS article to select the read/ write lockout time and
    > >> delegate again. Still the same.
    > >>
    > >> Any idea ? Thanks !
    > >>
    > >> Jason
    > >>
    > >>
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Roger makes an excellent point. Examine the "member of" tab of the user for
    which the account can not be managed and membership of each privileged
    group. That would be a start since it could become more complex depending on
    group nesting such as if there were groups that are members of privileged
    groups. The dsget and dsquery command line tools can also be used to
    enumerate a users membership to all groups, even based on nesting. Those
    tools are not available by default in Windows 2000 unless you have a Windows
    2003 domain controller or have adminpak for Windows 2003 installed on an XP
    Pro domain member. I have also seen where if a user "was" a member of a
    priviliged group at one time and then removed from it the inhertitance of
    permissions for that user account from the parent is still disabled though
    if you enable it you should them be able to managed that account via
    user/groups delegated that permission to it. --- Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uRKBwBODFHA.520@TK2MSFTNGP09.phx.gbl...
    > Examining the memberships of those groups will not tell you
    > whether the accounts that are members in those groups are or
    > are not members of privileged groups. It will only tell you
    > whether they are or are not so due to membership in the two
    > groups you examined.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Jason" <jasons@hotmail.com> wrote in message
    > news:eZsVuxrCFHA.3376@TK2MSFTNGP12.phx.gbl...
    >> Steven,
    >> Memebers of both groups ( A&B ) are not part of any previledged groups or
    >> build-in groups. ( I have verified this by checking these two groups'
    >> "member-of " tab.).They are able to unlock peer user accounts before the
    >> change.
    >>
    >> Jason
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:%23xe0SGoCFHA.3936@TK2MSFTNGP09.phx.gbl...
    >> > Were they able to manage the user's accounts before and for the same
    > exact
    >> > user? If a user is a member of privileged groups such as
    >> > administrators,
    >> > account operators, server operators, etc a regular user who has been
    >> > delegated permissions to manage user accounts for a OU/container can
    >> > not
    >> > manage those user accounts. When you examine the security properties of
    >> > users in those privileged groups you will see that the "delegated"
    >> > group
    >> > does not have permissions to the user and that user object is
    >> > configured
    >> > to not inherit security settings from parent in advanced page of
    > security
    >> > properties. --- Steve
    >> >
    >> >
    >> > "Jason" <jasons@hotmail.com> wrote in message
    >> > news:O6wVz2mCFHA.3732@TK2MSFTNGP14.phx.gbl...
    >> >>I have 2 global security groups , group A can manage computer accounts
    > and
    >> >> group B can manage User accounts. But after I put group A as a member
    > of
    >> >> group B , everything thing works ( ie, group A people can manage
    > computer
    >> >> and user accounts ) except that they are unable to reset peer group A
    >> >> members' user acount.
    >> >> I have tried the MS article to select the read/ write lockout time and
    >> >> delegate again. Still the same.
    >> >>
    >> >> Any idea ? Thanks !
    >> >>
    >> >> Jason
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Security Microsoft User Accounts Windows