Windows Server

mithra jayapaul · Guest

how to reset password of a administrator of a computer in a domain by
delegating authority to helpdesk..i had used delegation of control
wizard,which didnt work out..
what could be the reason?

--
mithra jayapaul
------------------------------------------------------------------------
mithra jayapaul's Profile: http://forums.techarena.in/member.php?userid=11061
View this thread: http://forums.techarena.in/showthread.php?t=398218
India Forum - http://forums.techarena.in

Paul Bergson · Guest

A less privileged user cannot maintain a privileged account such as the
admin account is. Help desk users can't even reset each others passwords
with out special permissions set.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

"mithra jayapaul" <mithra.jayapaul.1xx7bf@DoNotSpam.com> wrote in message
news:mithra.jayapaul.1xx7bf@DoNotSpam.com...

Paul Williams [MVP] · Guest

Mithra,

Here's some information on why:
-- http://www.msresource.net/content/view/38/46/

Note. That article explains how to achieve what you want. But in this case
I don't recommend doing that. Lesser admins shouldn't have permissions over
greater admins accounts, as that can lead to elevation attacks (whether
intentional or not).

This kind of thing is usually best resolved through a new process.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

mithra jayapaul · Guest

we want the helpdesk to reset the administrator password of computer
in a domain...how to delegate only that permission to them without an
other admin privilages.

--
mithra jayapau
-----------------------------------------------------------------------
mithra jayapaul's Profile: http://forums.techarena.in/member.php?userid=1106
View this thread: http://forums.techarena.in/showthread.php?t=39821
India Forum - http://forums.techarena.i

Paul Williams [MVP] · Guest

Load ADU&C and enable advanced features from the View menu.
Right-click on the domain and choose properties and then security.
Click advanced, and select Add (and add the group in question).
In the permission entry dialog, choose "This object and all child objects"
from apply onto and grant the following two permissions:

Create User Objects
Delete User Objects

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

kristinaw · Joined: 08 Nov 2005 Posts: 1 Location: Norfolk, VA

If all you want your help desk to be able to do is reset the local computer administrator account, then they need to be an admin on local computer itself. You shouldn't need to do anything within active directory to enable this, just add your helpdesk group to the local admins group on each computer for which you want them to have this ability.

Kris.

Paul Williams [MVP] · Guest

Sorry! I thought we were talking about creating and deleting users?!?!?
:-(

To reset passwords you require:

-- The extended right User-Force-Change-Password (on the user(s))

-- WP for the attribute User-Password (on the user object to modify)
-- OR, WP for the Pwd-Last-Set attribute (on the user object to modify)

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Paul Williams [MVP] · Guest

You still need to reset the actual object in AD. You need the
Force-User-Change-Password extended right (reset password in the UI) on the
computer object to do this.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

	Windows Server Forum Index -> Active Directory	All times are GMT
Page 1 of 1