• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

HelpDesk can only change passwords for certain OUs in Win2K3 domain

I am trying to go back and figure out the work that a previous network administrator did for our company. Our helpdesk only has access to change the passwords for certain OUs in our domain. Some OUs give them an "Access Denied" error message.

I thought it might be a group policy setting, but this user is in an OU that has group policy blocked from propagating to them.

Any thoughts would be appreciated.
0
richardmoses
Asked:
richardmoses
2 Solutions
 
Jay_Jay70Commented:
i would say he has used the delegation of control wizard on each OU
0
 
richardmosesAuthor Commented:
Is there a way I can tell who already has control on each OU? When I run the wizard, it doesn't give me any users.
0
 
mikeleebrlaCommented:
rightclick on the OU and go to properties, then look at the security tab.
0
 
Kini pradeepIT Technology Senior ConsultantCommented:
i would agree with Jay_Jay.
the user might have permissions delegated.
to check for existing delegation you could use Acldiag.
i guess dsacl could also be used to check for existing delegations.
you could delegate permissions for a group (helpdesk) at the domain for performing certain functions and then add or remove users to and from the group as a best practice rathar then delegating to a particular user.
0
 
richardmosesAuthor Commented:
Thanks for the help...It looks like this is how he set it up. I have fixed accordingly.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now