RE: [ActiveDir] Strange problem

Tue, 10 May 2005 07:55:36 -0700 

You should need

For changing passwords without knowing old password
        CA Change Password 

For unlocking locked accounts
        WP lockoutTime

For expiring passwords (force password to be changed on next logon)
        WP pwdLastSet


Here is a dsacls command that will do the delegation (all one line)

dsacls BASE_DN /I:S /G "dom\grp:CA;Reset Password;user"
"dom\grp:WP;lockoutTime;user" "dom\grp:WP;pwdLastSet;user"

Ex:

dsacls cn=users,dc=joe,dc=com /I:S /G "joe\accounttechs:CA;Reset
Password;user" "joe\accounttechs:WP;lockoutTime;user"
"joe\accounttechs:WP;pwdLastSet;user"



I just tried this and it worked fine. 



Things I would check if things aren't working fine.

1. Verify with dsacls dump the delegated permissions
2. Verify replication of the group to all DCs
3. Verify via whoami or sectok that the group is in the token of the user
attempting to make changes. This simply helps verify replication to the DC
that auth'ed the user. 

  joe




-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, May 09, 2005 4:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange problem

Hi, 
        I delegated the password management to the technicians group.
There is a glitch though, they can't seem to be able to reset password even
if I gave the permission to do so (on the OU). All the get is Access denied
(and the check box to set the "change password a next logon" bit is grayed. 
The permissions have been set in the security tab, using the Advanced view
of ADUC.

Here are the security settings for the Technicians group:

reset password
change password
read pwdLastSet
write pwdLastSet
read LockoutTime
write LockoutTime
read accountrestrictions


What I'm missing here? 


Thanks


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to