Why would you want to modify the change password rights on your OUs? That doesn't make sense to delegate: unlike password reset, it's the right that only allows you to _change_ the password if you know the old one...
So this is typically what the rights the users would need to change the PW on their own account - and by default it's granted to the Everyone well-known-secprin. This is NOT a security issue since if you know a user's password, you _are_ the user. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Freitag, 22. Dezember 2006 06:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? ________________________________ From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>