Restrict user

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

Here is my goal. Have a generic user logged into my
domain controller that only has the permission to reset
passwords for user accounts in Active Direcoty. I want to
have this user logged in to the domain controller at all
times and utilize the "run as" command to log on to do
more major administration tasks such as administer group
policies, created groups and Ou's etc. Whats the best way
to go about setting up this user to only be able to reset
passwords?


Thanks in advance
 
Hi Steve-

I believe it would be much better to merely give the user the ADUC tool on
their desktop and tell them to launch it with RUNAS. If you must have them
logon to a DC, edit the DC policy in your domain for the "Log on locally"
security option.

--
Thanks,
Richard Moreno
MCSE NT4\2000\2003
MCSA 2000\2003

*This posting is provided "AS IS" with no warranties, and confers no
rights.
 
| Here is my goal. Have a generic user logged into my
| domain controller that only has the permission to reset
| passwords for user accounts in Active Direcoty. I want to
| have this user logged in to the domain controller at all
| times and utilize the "run as" command to log on to do
| more major administration tasks such as administer group
| policies, created groups and Ou's etc. Whats the best way
| to go about setting up this user to only be able to reset
| passwords?
|
|
| Thanks in advance
|

Open Active Directory Users & Computers and delegrate control to the
account for all of the OU's that contain user accounts.

1) Right click on the OU and choose Delegate Control.

2) In the delegation of control wizard, select your generic account, then
in the next screen select "Create a custom task to delegate".

3) In the next screen, choose the radio button for "Only the following
objects
in the folder", the put a check mark next to User objects, then click next.

4) In the Permissions screen, put checks next to "change password", "reset
password", and the "read and write account restrictions" permissions. Then
click next to finish.


Chad A. Lacy
Windows 2000 Directory Services

==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Step-by-Step Guide to Using the Delegation of Control Wizard:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp
This guide shows how to delegate control of objects in an Active Directory
service container, using the Delegation of Control wizard in the Active
Directory Users and Computers snap-in.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
 
Back
Top