Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

HelpDesk can only change passwords for certain OUs in Win2K3 domain

Posted on 2006-07-03
5
Medium Priority
?
301 Views
Last Modified: 2010-04-18
I am trying to go back and figure out the work that a previous network administrator did for our company. Our helpdesk only has access to change the passwords for certain OUs in our domain. Some OUs give them an "Access Denied" error message.

I thought it might be a group policy setting, but this user is in an OU that has group policy blocked from propagating to them.

Any thoughts would be appreciated.
0
Comment
Question by:richardmoses
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 400 total points
ID: 17033282
i would say he has used the delegation of control wizard on each OU
0
 
LVL 1

Author Comment

by:richardmoses
ID: 17033345
Is there a way I can tell who already has control on each OU? When I run the wizard, it doesn't give me any users.
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 100 total points
ID: 17033688
rightclick on the OU and go to properties, then look at the security tab.
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 17042790
i would agree with Jay_Jay.
the user might have permissions delegated.
to check for existing delegation you could use Acldiag.
i guess dsacl could also be used to check for existing delegations.
you could delegate permissions for a group (helpdesk) at the domain for performing certain functions and then add or remove users to and from the group as a best practice rathar then delegating to a particular user.
0
 
LVL 1

Author Comment

by:richardmoses
ID: 17042860
Thanks for the help...It looks like this is how he set it up. I have fixed accordingly.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question