Advertisement

05.12.2008 at 02:32PM PDT, ID: 23396049
[x]
Attachment Details

Delegated users have full control of user object but can't uncheck "User must change password at next logon"

Asked by Slagerij in Windows 2003 Server, Active Directory

Tags: Microsoft, Active Directory, Wnows 2000 native, Windwos 2003 server

I have delegated control on all containers and OU's containing user accounts to a group called IT-Helpdesk.  At this point they have full control but although they can check the  "User must change password at next logon" and even apply the change, they cannot uncheck this box once its set even though seconds earlier it was they who set it in the first place.

The box is NOT gray'd out they simply get:

The following active directory error occured: Access Denied. When they try to apply the change after deselecting the box.

Things tried......
.Tested with effective permissions tool --> Individual User in IT-Helpdesk group has full control

.Created a user called delegatetest and made it a member of domain users only. Then delegated control to delegatetest on user objects. --> Same thing, effective permissions for delegatetest are "full control" but  although delegatetest can set the flag, it can't clear it.

. Scripted PwdLastSet and ran the script as both an IT-Helpdesk member and delegatetest user. --> Same thing. I can set the flag to zero but I can't set it to today "-1" (in essence clearing the flag) like I can as a domian admin.
Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:

Option Explicit
Dim OU, User, RootDSE, WShell,Container, Domain, PwdValue
 
' Bind to Active Directory Domain
Set RootDSE = GetObject("LDAP://RootDSE") 
Domain = RootDSE.Get("DefaultNamingContext") 
Container = "CN=Users,"
 
Container = Container & Domain
WScript.Echo Container
' PwdLastSet seems to only take 0 to flag  "User must change password at next logon" 
' and -1 which means today. 
PwdValue = -1 
 
' Loop through container
set OU =GetObject("LDAP://" & Container )
 
For each User in OU
	If User.class="user" And User.CN = "TestGuy" Then
		WScript.Echo User.CN
		WScript.Echo "Setting PwdLastSet to " & PwdValue
		User.Put "PwdLastSet", PwdValue
		User.SetInfo
	End If
Next
[+][-]05.13.2008 at 10:32PM PDT, ID: 21561485

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 08:11AM PDT, ID: 21565069

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.15.2008 at 11:56PM PDT, ID: 21580493

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.16.2008 at 07:12AM PDT, ID: 21582830

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.28.2008 at 07:53AM PDT, ID: 21660961

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.28.2008 at 10:41PM PDT, ID: 21666595

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.29.2008 at 07:27AM PDT, ID: 21669388

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.29.2008 at 10:35PM PDT, ID: 21675444

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Windows 2003 Server, Active Directory
Tags: Microsoft, Active Directory, Wnows 2000 native, Windwos 2003 server
Sign Up Now!
Solution Provided By: paulhekje
Participating Experts: 1
Solution Grade: B
 
 
[+][-]05.30.2008 at 07:03AM PDT, ID: 21677809

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628