Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] Specific rights needed to change a password Domain user passwrod
Prev Next
You are not authorized to post a reply.

AuthorMessages
danholmeUser is Offline

Posts:165

02/21/2009 6:13 AM  
There is a Reset Password control access right. That's all you need to delegate

dsacls "OUDN" /I:S /G "DOMAIN\group":CA;"Reset Password";user

What you read about was a different delegation, CHANGE password. This is delegated to a broader group (e.g. Everyone or Anonymous). The CHANGE password capability allows a user or computer to change its password by entering the OLD password *and* the NEW password. This is different than an admin that RESETs a password without needing to know the old password.

Dan
Dan Holme
Intelliem (www.intelliem.com)
808.463.4858 new iPhone

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Thursday, February 05, 2009 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Specific rights needed to change a password Domain user passwrod

The Appendices to Best Practices for Delegating Active Directory Administration lists all of the administrative operations and AD and the rights needed to perform them. See http://www.microsoft.com/downloads/details.aspx?familyid=29DBAE88-A216-45F9-9739-CB1FB22A0642&displaylang=en.

-gil
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Thursday, February 05, 2009 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Specific rights needed to change a password Domain user passwrod

All:

What are the exact right needed to change a domain users account password?

I have moved a users to an OU and we delegate certain permissions in the OU. We do not want to give full control of the user account to the OU admin, just the ability to set the password when it is time to change it.

I gave perms to the OU admins security group on the account security tab to reset password but they received "Access denied." So, I surmise that there must be other rights necessary in order for this to happen.

The method they used was going to ADUC and then to their OU and then right click account > reset password > Access Denied.

We only want them to rest the password. We have another tool for provisioning accounts and do not want them to write to any other attribute of the account. This is done through a centralized provisioning system.

I read an article that stated that the everyone group or anonymous needs to be given perms to change password so that the account can be change without having to log in. As this is a service account, it would be nice to have the OU admins just right click in ADUC to reset the password at will without giving them any other control over the account attributes.

Brian Britt
Vanderbilt University
Directory Services Specialist
615-322-4676


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Specific rights needed to change a password Domain user passwrod



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:cajoe64
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5291
People OnlinePeople Online:
VisitorsVisitors:63
MembersMembers:0
TotalTotal:63
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use