AD Delegation

[Mark Scott]

I am looking into delegating AD for user account unlock and password change.
I would like to do this without giving the end users access to ADU&C, is it
possible to either do this from a "find" box or even a severely restricted
ADU&C Console? (the users I want to delegate are in OUs underneath a single
OU.

REgards

Mark

 

[Jorge de Almeida Pinto]

To unlock accounts you need the read/write permission on the "lockoutTime"
attribute on the user object. Unfortunately this is not available through
the delegation of control wizard using the common delegated task like
“Unlock a user account” However still using the delegation of control wizard
you can create a custom task that applies to user objects and is property
specific. In the list shown select "read lockoutTime" and "write
lockoutTime".

To reset user passwords you need the “Reset Password” extended right on the
user object. This is also available through the delegation of control wizard
using the common delegated task “Reset a user account’s password”

If you want to reset user passwords and force password change at next logon
you need the “Reset Password” extended right on the user object and you need
Read/Write permissions on the attribute “pwdLastSet”. This is also available
through the delegation of control wizard using the common delegated task
“Reset user passwords and force password change at next logon”

For more information on delegating tasks see:
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
and
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

You could create a taskpad for the users who need to do this.
For more info on Taskpad views and tasks:
http://www.microsoft.com/technet/pr...elp/3d0c783c-7789-4400-953b-d22a501ae535.mspx
http://www.winsupersite.com/showcase/win2k_taskpad.asp
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

 

[Mark Scott]

Thank you! this is just what I was after. will give it a go tomorrow

Cheers

Mark

"Jorge de Almeida Pinto"

 

[vikky.belani]

hey Mark,

find the free sharepoint webpart on
http://store.bamboosolutions.com/pc-25-1-password-change-web-part.aspx.
I think it migth solve ur problem.

Thanks,
VB

 

[Mark Scott]

Thanks Vicki, much appreciated!

 

[Mark Scott]

Jorge,

This worked a treat and now I have a functioning MMC suitable for use!

What I need now is to set up auditing so that I can see who is doing what.
What do you reccomend? I need to be able to track which user changed /
disabled / enabled / unlocked what account.

Regards

Mark

"Jorge de Almeida Pinto"

 

[Jorge de Almeida Pinto]

Enable auditing account management for successful events in the default
domain controllers GPO.

On the OU where you have delegated the stuff configure WHO you want to audit
for WHICH OBJECTS and for WHICH ACTIONS

 

[Jorge de Almeida Pinto]

http://support.microsoft.com/default.aspx?scid=kb;en-us;314955&sd=tech

http://support.microsoft.com/default.aspx?scid=kb;en-us;814595