Hi Gray, To set the minimum rights for an AD account to reset a password, do the following Create a basic domain account without any additional privileges Use Delegate control wizard within "User and computers", then User Object Reset Password Write lockoutTime (if unlock is enabled) Write shadowlastchange
That’s it ! On 15 Jan 2014, at 22:00, Gray McCord <[email protected]> wrote: > I’ve been using LTB very successfully for months on an AD/LDAP environment > and have finally gotten to the point where I’ve turned it over to our users > to try. What I want to do is create an “LTB-only” AD user which only has the > permissions necessary to change and reset passwords. I created the user in > AD and ran the Delegation of control wizard to set this up. I thought that > enabling “Reset user passwords” and “Read all user information” might work, > but alas, no. I would up having to select “create, delete, and manage user > accounts”. The good news is that its no longer using my or an admin’s > credentials, but I think I don’t really need LTB to be able to create or > delete or change group membership for users, which I think this setting > permits. > > Anyway, does anyone know what the minimum appropriate set of permissions / > best practice should be to allow LTB to do its job? > > Thanks! > > Gray > > Gray McCord > Adapt, Mutate, Migrate, or Die > -C. Darwin > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > _______________________________________________ > ltb-users mailing list > [email protected] > http://lists.ltb-project.org/listinfo/ltb-users
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
