Well, I'm really doing just that. I go to ADUC, right click the OU in question, choose Properties, then Security tab, then Advanced, then add, the select the group, then choose User Object from the drop down list of possible objects, and tick ALLOW for the Reset Password Permission. I keep clicking OK till Im back at ADUC. Then I right click a user in the OU and choose Properties and security tab, and make sure that the permission has filtered down ok.
I do this for the group of users, and it they don't have permission. I do the same thing for individual IT bods and it works fine. :S I will look at doing a dsacls dump for you -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 02 May 2006 12:58 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ResetPassword perm and groups Assigning the permission to a group and adding the users to the group should be fine. Sounds like there was some little odd implementation detail that was causing a problem. Give specific detailed steps of what was done including a dsacls dump of the permission applied to the OU. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Tuesday, May 02, 2006 5:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ResetPassword perm and groups Hi, Im having a problem with the ResetPassword permission. I have a script that changes a users password, which the IT bods use here. The script requires that the IT bods have the Reset Password permission on all the OUs that they manage. The problem we have is that the Reset Password permission only seems to work if I assign it to each IT bod individually. I would like to create an "IT BOD" security group, and include each IT bod in it, then assign that group the Reset Password perm. However, if I do that, the IT bods are unable to reset passwords for people, it only works if they have the permission set individually. Clearly this is gonna be a pain with 10 admins and 4 ous :S Any idea why I would be able to assign users the Reset Password perm individually but NOT assign it to a group ? Olly List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/