Giving rights to a group to reset and unlock users in a AD domain

[sqldbaguy]

Hi guys,

Im new here. I have a problem that I hope you guys can help with. Our A.D. guy has quit so they are giving me (the SQL DBA guy) the responsibilities.

I am trying to add this group of users, who we are calling the "Account Password Reset group" and I need to give them the right to reset any user password, and also unlock a user in the domain. The only problem is, when I add that group under Account Operators it doesn't work. My users get an Access Denied error or something like that. And they can only reset and unlock users within their own "Account Password Reset group". It works when I put them under Domain Admin group, but those privileges are too broad, and our director does not want them with all those rights. Is there another built in group I could use, or a way to modify their rights so they can have privileges to unlock and reset user accounts?

Please help me, I have to have this fixed very soon and I dont need to lose my job with the way the market is right now. Please help me.

Thanks

Howdie!

sqldbaguy schrieb:
> Im new here. I have a problem that I hope you guys can help with. Our
> A.D. guy has quit so they are giving me (the SQL DBA guy) the
> responsibilities.
>
> I am trying to add this group of users, who we are calling the "Account
> Password Reset group" and I need to give them the right to reset any
> user password, and also unlock a user in the domain. The only problem
> is, when I add that group under Account Operators it doesn't work.

Don't use the built-in groups. Create a new security group for those
users and put the password reset folks in there.

After that, right-click the OU the user accounts you want grant reset
access to are in, choose "Delegate Control...", choose the newly created
group and choose the "Reset password and force password reset...". That
should do the trick.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.

Hello sqldbaguy,

To reset password use the "delgate control" wizard and also use the settings
in the article to give the permissions to unlock accounts:
http://support.microsoft.com/kb/294952/en-us

Do not use the builtin groups for that, create your own security group. The
AdminSDHolder process runs on some protected groups and removes delegated
permissions and inheritance if set. See also:


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!


> Hi guys,
>
> Im new here. I have a problem that I hope you guys can help with. Our
> A.D. guy has quit so they are giving me (the SQL DBA guy) the
> responsibilities.
>
> I am trying to add this group of users, who we are calling the
> "Account Password Reset group" and I need to give them the right to
> reset any user password, and also unlock a user in the domain. The
> only problem is, when I add that group under Account Operators it
> doesn't work. My users get an Access Denied error or something like
> that. And they can only reset and unlock users within their own
> "Account Password Reset group". It works when I put them under Domain
> Admin group, but those privileges are too broad, and our director does
> not want them with all those rights. Is there another built in group I
> could use, or a way to modify their rights so they can have privileges
> to unlock and reset user accounts?
>
> Please help me, I have to have this fixed very soon and I dont need to
> lose my job with the way the market is right now. Please help me.
>
> Thanks
>
> http://forums.techarena.in
>