Password Reset and Unlock by Help Desk

  • Thread starter Thread starter MikeD
  • Start date Start date
M

MikeD

Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
 
You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------
 
neo said:
You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.
Click to expand...

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?
;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

MikeD said:
Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
Click to expand...
Click to expand...
 
Wow, where is the good source of info on this Neo? What is your main source
for the available options and how to modify whitepaper?



neo said:
You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify
the delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.

;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

MikeD said:
Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user
the permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
Click to expand...
Click to expand...
 
Knowing my luck, OE will wrap the links, but I lean quite heavily on the
appendices document.

http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

/neo


Herb Martin said:
neo said:
You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.
Click to expand...

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?
;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

MikeD said:
Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
Click to expand...
Click to expand...
Click to expand...
 
Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.

Herb Martin said:
neo said:
You can add these 2 to your delegwiz.inf file. (Don't forget to add the
template numbers to the "templates=" line in the inf.) Once you modify the
delegwiz.inf file, you can use the delegate control wizard in ADUC to
delegate out the rights to a security group.
Click to expand...

I am going to Google and research this but do you
happen to know the best guide for the delegwiz.inf
file?
;----------------------------------------------------------
[template100]
AppliesToClasses=organizationalUnit

Description = "Reset user password"

ObjectTypes = user

[template100.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
lockoutTime=WP
;----------------------------------------------------------

;----------------------------------------------------------
[template110]
AppliesToClasses=organizationalUnit

Description = "Create user accounts"

ObjectTypes = SCOPE, user

[template110.SCOPE]
user=CC

[template110.user]
CONTROLRIGHT= "Reset Password","Change Password","Account Restrictions"
;----------------------------------------------------------

MikeD said:
Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
Click to expand...
Click to expand...
Click to expand...
 
MikeD said:
Windows 2003 SP1 - 100 users.

What rights and permissions and where (in AD) to allow a group or user the
permission to...

(1) reset password accounts
(2) unlock accounts
(3) even create (not as significant though)


Thank you.
Click to expand...

If Neo's options (which look really cool, btw) are too much for you (or
you need a little more than just the 3 you mentioned), there is a
predefined group called "Account Operators" that has those privileges.
It's there so that most user account operations can be quickly handed off
to a separate person, without having to give them full administrative
privileges.
 
neo said:
Silly me... the two links I provided do *NOT* take Exchange 200x into
consideration. So the documents will not cover the ldap properties that
Exchange adds when it extends the schema. However it is possible to
delegate everything with some additional effort w/out giving out the keys to
the kingdom so to speak.
Click to expand...

Why was the 'silly' -- It doesn't seem to be your fault?

Also, the second document isn't available (right now)
-- and this is NOT due to your link, the summary page
appears but there is a web site database error on the
actual document download.

Could (one of you) send me the appendix?
 
because i'm typing the response to a question in the sbs group and well, sbs
is the do all collection of dc/gc/dns/exchange/.etc.

sure... want me to use the "news" address or did you have something else in
mind?
 
neo said:
because i'm typing the response to a question in the sbs group and well, sbs
is the do all collection of dc/gc/dns/exchange/.etc.

sure... want me to use the "news" address or did you have something else in
mind?
Click to expand...

News is fine -- But I forgot to mentoin that .DOCs are blocked.

Please rename to anything like ._doc or zip it.

Thanks so much.
 
Account Op in my opinion should not be used, it is far more powerful than
normally needed unless you have a very small shop and want to give out wide
ranging rights. Other than modifying groups and users acc ops have native rights
such as logging onto DCs and other items. If someone simply wants to delegate
password reset and unlock or even create, it is much smarter to do it in a far
more focused way with delegated permissions and can easily be done through
command line using dsacls.

joe
 
Back
Top