Announcement

Collapse
No announcement yet.

User with limited permission..

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User with limited permission..

    Hi,


    I want to create a user on AD who has limited permissions only to unlock a account. The user will not be logging into any Servers. But he will be accessing AD through admin pack on their local XP machines.

    What is needed for this user to be is, To be part of limited group, can view AD but cannot make any changes accept for unlocking a accounts.

    I hope i am clear with what i want to say.

  • #2
    Re: User with limited permission..

    Hi,

    Have a look at this for delegating the Unlock account right: http://support.microsoft.com/kb/294952
    It's intended for Windows 2000 but it should work for 2k3.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: User with limited permission..

      Thanks for a prompt response.

      The article is specifically for Windows 2000 Server. So it dint help me.

      But got this..

      http://support.microsoft.com/kb/279723

      will check n update.

      Comment


      • #4
        Re: User with limited permission..

        Originally posted by milind5656 View Post
        Thanks for a prompt response.

        The article is specifically for Windows 2000 Server. So it dint help me.

        But got this..

        http://support.microsoft.com/kb/279723

        will check n update.
        Thanks for sharing it with us. That applies to W2k as well though ...but hopefully will be working for you.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: User with limited permission..

          yup that article is for Win2K. N it dint work for me.

          The link u gave seems to be the official answer from Microsoft for delegation of account unlock on Win2K3.

          But under point 7 Read lockoutTime and Write lockoutTime options are not available.

          Working on it, will update you. If u have anything else plz share.

          Comment


          • #6
            Re: User with limited permission..

            Originally posted by milind5656 View Post
            But under point 7 Read lockoutTime and Write lockoutTime options are not available.

            Working on it, will update you. If u have anything else plz share.


            Hi, Did you save the changes you made on the Dssec.dat file?
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: User with limited permission..

              yes i have did that..

              n for ur information the lockoutTime is not available under user caption but it is available under computers caption in Dssec.dat(W2K3).

              also have a look at this..
              http://support.microsoft.com/kb/555986

              Comment


              • #8
                Re: User with limited permission..

                I've just checked it now and in W2k3 is there in the Delegation wizard so there is no need to edit the Dat file.
                • Start the Delegation Wizard on the OU containing the user accounts.
                • Add the Group - Next
                • Create a Custom Task - Next
                • In the Only the following Objects select User Objects - Next
                • In the next page Select Property-Specific and scroll down where you can select Read Lockout Time and Write lockout time.
                • Finish

                Hope that helps
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: User with limited permission..

                  Well i have done this through ADSIedit.msc

                  But i didn't wanted it to do for a group, i wanted it for a user object.
                  Is it necessary to create a group n add account, to set this delegation?

                  I am testing it n will update this. how about u. after adding user in that group r the users able to unlock the accounts.

                  Comment


                  • #10
                    Re: User with limited permission..

                    You can use delegation for users or groups.

                    Comment


                    • #11
                      Re: User with limited permission..

                      Thanks L4ndy, I have successfully delegated control for unlocking the account.

                      But the user is able to not able to unlock the account. The Option "Account is locked out" is coming grayed. I cant deselect it. Any suggestions?

                      Comment


                      • #12
                        Re: User with limited permission..

                        Ok This issue has been RESOLVED..!!!


                        And now i am working on reverse issue.
                        That is
                        I issued two controls to a user, that is unlocking account and adding description for another users. The user is successfully able to do both the tasks.

                        But now i want one right to be removed from the user, i e user must not able to add description to another users.

                        Comment


                        • #13
                          Re: User with limited permission..

                          Originally posted by milind5656 View Post
                          But now i want one right to be removed from the user, i e user must not able to add description to another users.
                          • Right Click on the Delegated OU.
                          • Properties
                          • Security Tab
                          • Advanced on the bottom right corner
                          • On the permission entries select the User or Group you are delegating to.
                          • Click on Edit
                          • On the Object and Properties tab make sure only the permissions you want are selected.
                          • Ie Allow both Read lockout time and Write lockout time and nothing else.

                          Ta
                          Caesar's cipher - 3

                          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                          SFX JNRS FC U6 MNGR

                          Comment

                          Working...
                          X