kiwistag
asked on
Restricted AD user management from a PC for a specific OU
In a school situation - we have just upgraded our AD Servers to Server 2003 Enterprise R2 from Server 2003 Std.
I have been told with R2 it is possible to allocate the ability to certain users to change passwords of others for a specific OU.
In this case we want 2 staff members who we DON'T want to be Domain Admins to be able to change only student passwords. All students are in their own security & distribution group and in their own OU.
So far I haven't found any info on how to do it yet..
I have been told with R2 it is possible to allocate the ability to certain users to change passwords of others for a specific OU.
In this case we want 2 staff members who we DON'T want to be Domain Admins to be able to change only student passwords. All students are in their own security & distribution group and in their own OU.
So far I haven't found any info on how to do it yet..
ASKER
Thanks - next step: is there a way for the staff to do it from their PC (via a sanp in or equivalent) rather than being allowed to log into the server?
You would just install the windows 2003 sp1 admin tools on there machines.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Another snag - it seems if I follow the Petri instructions that it will allow mw to modify the sub contents of the New Taskpad view but not the primary contents.
For current managements sake (for example) we have a Sub-OU called 2007. The users running the MMC console can reset the passwords users within the subcontainers but not within the primary OU container.
So - clicking on domain\Pupils\Username and choosing reset password doesn't work however clicking on \domain\Pupils\2007\Userna me does.
HOWEVER running change password on a user from the Active Directory Users and Computers SnapIn does with the same Delegated Control user....
For current managements sake (for example) we have a Sub-OU called 2007. The users running the MMC console can reset the passwords users within the subcontainers but not within the primary OU container.
So - clicking on domain\Pupils\Username and choosing reset password doesn't work however clicking on \domain\Pupils\2007\Userna
HOWEVER running change password on a user from the Active Directory Users and Computers SnapIn does with the same Delegated Control user....
http://www.microsoft.com/technet/technetmag/issues/2007/02/ActiveDirectory/