Ah interesting. For tasks related specifically to technically proficient IT personnel, I prefer to keep it simple (from the standpoint of application layers in between the user and the completed task). I delegate granular rights, give them the adminpak, and tell them what they can and can't do. If they try to do something they can't do, they just get an access denied error anyway. There are no additional layers of software to make things overly complex (and easier to break).
For non-IT personnel, that's where having an alternative front-end is nice. In our case, we have an in-house developed web based application that allows our HR department to directly create and disable user accounts as well as do other minor configuration such as mailbox enabling. This addressed a communications gap in which HR and IT would not communicate effectively enough and new and terminated employees would not have accounts created or disabled in a timely manner. Now that HR has the ability to do that themselves, the process has been streamlined and things in general run a lot smoother. This same web based application also acts as our internal corporate directory. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? ________________________________ From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]