Announcement

Collapse
No announcement yet.

Split from Delegating a user with reset password credentials

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Split from Delegating a user with reset password credentials

    I've found this post useful... I am hoping for some additional information on this topic though.

    What I was able to do is delegate control to a user and select the 'Reset user passwords and force password change at next login' That part works, what I am wondering is two things...

    First, is there a way to prevent changes to accounts in the Administrator or Domain Admin group?

    Second, trying to follow up on hammo's Unlock and Reset accounts info, I don't see these options... the properties only show a general tab for the users and for a new OU I created show General, Managed By and COM+ tabs.

    What I am trying to do is grant password reset and unlock privileges to 4 domain users, but ideally I wouldn't want them to be able to change admin accounts.

    Running Server 2003 R2 Standard (can upgrade to enterprise edition if that would allow more control).

  • #2
    Re: Delegating a user with reset password credentials

    No Comments or Suggestions?

    Comment


    • #3
      Re: Delegating a user with reset password credentials

      Originally posted by Quinten View Post
      First, is there a way to prevent changes to accounts in the Administrator or Domain Admin group?

      What I am trying to do is grant password reset and unlock privileges to 4 domain users, but ideally I wouldn't want them to be able to change admin accounts.
      What about adding those 4 domain users to the Account Operators group?

      Account Operators: Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.
      Was that so hard?
      |

      Comment


      • #4
        Re: Delegating a user with reset password credentials

        Sounds like a winner... thanks!

        Comment


        • #5
          Re: Delegating a user with reset password credentials

          Spoke too soon!

          When testing an 'account operator' was able to modify the passwords of accounts that are members of the domain admin group. I was blocked from adding users to those groups though.

          Perhaps I am missing something... still

          Comment


          • #6
            Re: Deligating a user with reset password credentials

            Quinten,
            Please read the forum rules and do not hijack other threads. I have split this into a new topic
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Split from Delegating a user with reset password credentials

              Hi,

              1. There is an in-built process that runs evry 60 minutes by default called admin-sd holder which prevents any delegation for some power groups such as Domain Admins. I am doing a testing regarding the same meanwhile you can achive it by following the below:

              When you delgate any right/s at domain level that is pushed to all the domain objects but if you want to exclude any object you can achive that by configuring the deny permission directly in the security page of that object so in your case you can ristrict these users in the security tab of domain admin's property.

              By default you will not see this security pages in the proprties of domain admin group. To enable the same click on Advance features in view menu.

              2. As far as your second question is concerned regarding account info so to get the additional account info you need to register acctinfo.dll file using the below command:

              regsvr32 acctinfo.dll

              Before running this command you need to copy acctinfo.dll to the system32 folder in your DC where you are running the console.

              You can download the same from the below location:

              http://www.petri.com/download_free_reskit_tools.htm

              To get more detailed information regarding last authentication DC and last account lockout info you can use account lockout tools. Find the location to download the same below:

              http://www.microsoft.com/downloads/d...displaylang=en

              Hope it will help you.........
              Kapil Sharma
              ~~~~~~~~~~~~~
              Life is too short, Enjoy It.

              Comment


              • #8
                Re: Delegating a user with reset password credentials

                Originally posted by Ossian View Post
                Quinten,
                Please read the forum rules and do not hijack other threads. I have split this into a new topic
                Sorry about that.. it certainly wasn't the intention as I was looking at the delegation aspect and a reply led to the account operator tangent.

                Since you created a new topic, perhaps the title should be changed... or at least the spelling corrected

                Kapil Sharma - Thanks for the reply... I will look into that information the following week as I will be on Holiday! (Yeah!)
                Last edited by Quinten; 25th October 2007, 17:58.

                Comment


                • #9
                  Re: Split from Delegating a user with reset password credentials

                  As for the mentioned AdminSDHolder, it does not enforce the group membership (other than the built-in Administrator account). It enforces the ACLs applied to predefined set of sensitive administrative objects, like Domain Admins, Account operators and etc. groups.

                  Back to the original question: giving Account Operator to someone who needs to reset passwords/unlock accounts is like giving a chainsaw to someone who needs to do his nails.

                  The easiest way to delegate the desired permissions is:

                  1) Create an OU and move there the accounts/groups that you want to be managed by someone else.
                  2) Delegate permissions at the OU level.

                  If you do not want administrative groups/accounts to be touched by the helpdesk, just do not place them under the OU you delegated.

                  No need for explicit Deny permissions...
                  No need for placing anyone in Account Operators group...
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Re: Split from Delegating a user with reset password credentials

                    Hi Guyt,

                    I am trying to help people at my level best but always would require the help from you guys as your help and advice will help me to groom.


                    Thanks,
                    Kapil Sharma
                    ~~~~~~~~~~~~~
                    Life is too short, Enjoy It.

                    Comment

                    Working...
                    X