Giving users permissions to reset passwords and enable accounts
I am in the process of setting up a taskpad to allow a few people at our office to reset user passwords and enable user accounts that are disabled (locked). I went through the delegate control wizard on the OU with the accounts and gave the permission to reset passords to the people who need them. I then went through a document that explained how to create a taskpad and did that. I installed the AD parts of the admin pack (server 2003) on the computers that the "password resetters" are using. This seems to work - the PCs are XP Pro SP2 and its a Windows 2008 SBS environment they need to manage. I have 2 issues though.
1) If a user launches any of the AD tools (instead of the taskpad I created), they are blocked from doing almost everything (that I tested anyway). For instance, the cannot force a replication between DCs or raise the functional leves of the domain or forest. However, they CAN create computers and users even though I specifically DID NOT grant that permission in the delegation wizard on that OU.
2) They CANNOT enable a disabled user account.
I went back through the delgation of control wizard again, and didn;t see anything intuitive to answer #2, and I assume that I can just remove the people from the security tab and start over to delete any existing permissions to the OU to fix #1, but I still want to make sure these people ONLY have the perrmissions to reset passwords and enable disabled accounts
1) If a user launches any of the AD tools (instead of the taskpad I created), they are blocked from doing almost everything (that I tested anyway). For instance, the cannot force a replication between DCs or raise the functional leves of the domain or forest. However, they CAN create computers and users even though I specifically DID NOT grant that permission in the delegation wizard on that OU.
2) They CANNOT enable a disabled user account.
I went back through the delgation of control wizard again, and didn;t see anything intuitive to answer #2, and I assume that I can just remove the people from the security tab and start over to delete any existing permissions to the OU to fix #1, but I still want to make sure these people ONLY have the perrmissions to reset passwords and enable disabled accounts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jason Watkins
I agree with CrisHanna_MVP
On the AD Users and Computers/Users container (or other OU that you want to give them permission to, edit the permissions on the container and give the user(s) or group the following permission, applied to the "Descendant User Objects" ONLY:
Read lockout time
Write lockout time
Reset password
Change password
NOTE: You have to click on the Properties tab when you edit the Advanced security settings for the user or group in order to see/change the settings for Read/Write lockout time.
This will definitely allow them to unlock a locked account. If you actually want them to be able to enable a user account that has been permanently disabled, post back and I'll find out which attribute is required to do that.
Read lockout time
Write lockout time
Reset password
Change password
NOTE: You have to click on the Properties tab when you edit the Advanced security settings for the user or group in order to see/change the settings for Read/Write lockout time.
This will definitely allow them to unlock a locked account. If you actually want them to be able to enable a user account that has been permanently disabled, post back and I'll find out which attribute is required to do that.
ASKER
Thanks Cris - worked fine. hyper, I may have done something worng there, but that still wouldn;t let me unlock disabled accounts???
It will allow the user to unlock LOCKED accounts (i.e., when the user has typed the wrong user ID or password too many times and the account gets locked). I don't believe it will allow the user to enable an AD account that has actually been set to "Disabled" status, but I've never tested this out.
The reason that I don't recommend adding these users to the Account Operators group is that this gives them more than just permission to change passwords and unlock locked accounts. If that's really what you want to limit them to do, then you don't want them to be members of the Account Operators group.
The reason that I don't recommend adding these users to the Account Operators group is that this gives them more than just permission to change passwords and unlock locked accounts. If that's really what you want to limit them to do, then you don't want them to be members of the Account Operators group.