[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Allow HelpDesk to unlock user accounts.

Posted on 2007-07-23
9
Medium Priority
?
2,621 Views
Last Modified: 2013-12-04
In a 2003 domain:  What do I need to do to allow a group to unlock user accounts, reset passwords, and force users to change their passwords at next logon without giving them the ability to create accounts?

Thanks
0
Comment
Question by:wsstechs
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 19

Expert Comment

by:Andrew Davis
ID: 19553154
this can be done with a script. see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22435598.html
it may require a slight modification but ultimatley it resets the passowrd to a generic and resets the account status and sets the account to requiring a password change at next logon.
0
 

Author Comment

by:wsstechs
ID: 19553184
Isn't there anyway to just give the HelpDesk specific rights to do this?  They have access to ADUC.
0
 
LVL 4

Expert Comment

by:Irosha
ID: 19553222

Hey

You can add those helpdesk User Accounts to AD Account Operators Group. Go to AD Users and Computers go to "Built in" OU. you can find the "Account Operators" Group.

add whatever the related accounts to the group.  
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 19

Expert Comment

by:Andrew Davis
ID: 19553244
Account operators can also delete accounts (you didnt want this) you could go down the path of create your own group and assign rights required and then lock down with permissions, however i am still unsure if all this will work. a simple script is so much easier.
0
 
LVL 19

Expert Comment

by:Andrew Davis
ID: 19553245
0
 
LVL 4

Expert Comment

by:Irosha
ID: 19553264
This solution may Usefull than the first one

you can delegate the control to helpdesk OU. it's like this:

Create specific OU (Eg: Helpdesk). then move the helpdesk User accounts to that.

after that; right click the the above created OU and select "Delegate Control"

Click on next

add the User Accounts or the Group, then Click next

Under the "Delegate the Common tasks" Option Select the Second Option

Try this and let me know.

0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 19553815
Create a Help desk security group and add all the Helpdesk staff to this group.
Now go  to the OU where are all your user account are created right click go to properties-.security-.advanced-add the helpdesk group and give permissions to reset passwords on the user objects.
0
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 19554455
The last two suggestions are very close but not quite there yet.

Add the helpdesk users to a group (say Helpdesk) and then follow the instructions in this article:
http://support.microsoft.com/kb/296999

That will add the rights to reset passwords and force password change on logon. To add the ability to unlock user accounts, also add these two permissions: Read lockoutTime and Write lockoutTime (http://support.microsoft.com/kb/294952).
0
 

Author Comment

by:wsstechs
ID: 19558103
Thanks Bill, and thanks to everyone else that added their comments.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Learn about cloud computing and its benefits for small business owners.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question