Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Logon to XP workstations but can reset passwords on an 2003 domain

Posted on 2009-04-02
7
213 Views
Last Modified: 2012-05-06
We have teachers that logon to various workstations in multiple rooms but they need to have an interface each time that will enable them to reset passwords in AD. We do not want them to have admin rights or logon to the server not even using remote. Any ideas how we can make this happen so that it starts when they logon?
0
Comment
Question by:AndyinJapan
7 Comments
 
LVL 8

Expert Comment

by:Share-IT
ID: 24049417
install the admin pack (adminpak.msi) on the client machines. Give them a short cut that points to dsa.msc.
Then give them the account operators rights on the AD.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 24049431
You can delegate control to them to allow them to change passwords and provide them with a custom taskpad
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24049449

It depends how complicated you want  to get, and how simple it has to be for the teachers.

But you could potentially install the AdminPak on that machine which would give them AD Users and Computers. Creating a group and granting that group the "Reset Password" right on all user objects (or the ones you want them to be able to change).

Chris
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 70

Expert Comment

by:Chris Dent
ID: 24049458

I would avoid Account Operators, they can create / delete accounts as well which seems more than you need?

Chris
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24057042
If they have to reset their password each time they logon to a different location, it sounds like they may have passwords changed while logged on from a location or two. Or maybe they have managed passwords on some of these computers.

Really, there shouldn't be much of a need to reset passwords to that extent.
0
 

Author Comment

by:AndyinJapan
ID: 24143862
Hi all,
I can install the admin pack but the issue is with that solution is there are too many PC's to install it to. I had heard of someone setting up the admin pack or at lease something like that when that certain user logon they also got the admin pack installed. I'm not sure if this worked or not...

Many thanks for all your help...
Andy
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24145711

It's an MSI file so you should be able to deploy it easily enough using Group Policy if necessary. There are instructions for doing that here:

http://support.microsoft.com/kb/816102

The only change I'd make is that I recommend using this to manage group policy rather than trying to do it through AD Users and Computers:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Chris
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question