The manual should say admins with system privilege OR unrestricted or restricted policy privilege can do this.
If you give your platform specialists restricted policy privilege to one (or more) domain, they can register, unregister, lock, unlock, and change passwords for nodes in that domain only. They can't affect clients in the OTHER policy domains. I do this for several groups, for just the reasons you describe. Greatly helps offload work from us system admins! -----Original Message----- From: brian welsh [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 5:00 PM To: [EMAIL PROTECTED] Subject: Unlock privilege Hello, In our company we have several units for different platforms, f.i. AIX, NT, Sun and so on. The units (platform-specialists) are doing there own restores and every platform has one or more policy domains with different management classes. We are using password access generate. So after password expiration the platform-admins don't know the password for the client in case of restore a machine from scratch, and have to contact our unit (Stor. Man). Sometimes they type in a wrong password and node is locked. We want to use an admin that can unlock the client-node and update the password in case of restores so the platform-admins don't have to call our unit (storage Man.) and don't loose time in case of quick install. The manual is saying that admins with system privilege, and unrestricted and restricted policy privilege can lock/unlock and update passwords. The problem is that this is too much privilege. I was wondering how other sites are dealing with this issue. Thanks, Brian. _________________________________________________________________ Chat on line met vrienden en probeer MSN Messenger uit: http://messenger.msn.nl