Password Change Help

  • Thread starter Thread starter Ryan Hanisco
  • Start date Start date
R

Ryan Hanisco

I have a large and complex environment with several domains in the forest.
After bringing a dc online that was down for a few weeks, users that have
been given the account operator privileges are no longer able to change
passwords for users.

Full administrators are able to do this, but the end users are getting an
Access Denied message.

They are able to contact the correct PDCe and NSLOOKUP gives them the
correct addresses for GCs and domains.

Suggestions?
 
All,

Actually what is happening is that existing accounts cannot be managed.
These helpdesk users can create new accounts, change their passwords, and
delete the accounts.

So... what gives?
 
What's your environment (DC running 2000 or 2003, SP level)? Did you delegate
permissions using Delegation Control wizard?

smo
 
The primary DCs are 2000 SP4 but the one we brought up again is 2003 gold.
The accounts are members of Account Operators... not a delegated scope of
management.

The Account Operators can manage 80% of the objects but some are read only
and they get the Access Denied Error.

This is not an error with versioning. This is something to do with domain
convergence in either the AD or DNS. I am trying to nail it down to What
and Why.
 
Smo,

This is not really applicable, but I appreciate the effort.

Thanks so much.
 
How many "weeks" was that dc offline, there is a time limit where you can
cause problems bringing back a dc after so many days!
 
It is not past the tombstone date. I label servers with the down date
when I take them offline.. Besides, then you get tombstone errors in the
event logs. I am seeing none of that.
 
Hey Ryan,

Have permissions be changed? It sounds like the existing accounts are no
longer inheriting permissions.

Or (worse), have these people been added to protected groups?!?
 
Back
Top