Helpdesk and passwords

Hello Experts,

We're using Active Directory 2003 in native mode. I've given the helpdesk the ablility to change users passwords. But for some reason, they can't change all of my users passwords. It could be 2 users in the same OU. They could change 1 user password, but not the other, the the 2 users could be in the same groups. I don't understand what's stopping them. I've tried delegating control at the OU level to the group and still no changes. If I put them in the domain admins group it works. But we don't want that of course.
bernardbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DaveCommented:
If the users have been in an administrative group they may had the adminsdhodler property set, or inheritance blocks which sops the help desk updating them. See

http://technet.microsoft.com/en-gb/magazine/2009.09.sdadminholder.aspx

for more info
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
It seems that permission is not inherited on user object or ou/sub ous make sure that permission is inherited.

Checked that delegation is set correctly.http://support.microsoft.com/kb/296999

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/kb/817433 
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

How to View or Delete Active Directory Delegated Permissions
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
DaveCommented:
Delegated permission is removed if the ADminSdHolder count is >1. If the users have been removed from any admin groups you can use ADSIEdit to reset to "0" and also reset permissions inheritance. If the user is stikll in an admin group then this will be removed within 15 minutes...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.