HelpDesk can only change passwords for certain OUs in Win2K3 domain

I am trying to go back and figure out the work that a previous network administrator did for our company. Our helpdesk only has access to change the passwords for certain OUs in our domain. Some OUs give them an "Access Denied" error message.

I thought it might be a group policy setting, but this user is in an OU that has group policy blocked from propagating to them.

Any thoughts would be appreciated.
LVL 1
richardmosesAsked:
Who is Participating?
 
Jay_Jay70Commented:
i would say he has used the delegation of control wizard on each OU
0
 
richardmosesAuthor Commented:
Is there a way I can tell who already has control on each OU? When I run the wizard, it doesn't give me any users.
0
 
mikeleebrlaCommented:
rightclick on the OU and go to properties, then look at the security tab.
0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
i would agree with Jay_Jay.
the user might have permissions delegated.
to check for existing delegation you could use Acldiag.
i guess dsacl could also be used to check for existing delegations.
you could delegate permissions for a group (helpdesk) at the domain for performing certain functions and then add or remove users to and from the group as a best practice rathar then delegating to a particular user.
0
 
richardmosesAuthor Commented:
Thanks for the help...It looks like this is how he set it up. I have fixed accordingly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.