|
| |||||||||
| Tags: 2008, control, delegate |
Sponsored Links
Delegate Control of OU in AD 2008
Active Directory
 |
| | Thread Tools | Search this Thread |
|
| |||||||||
| Tags: 2008, control, delegate |
|
| | Thread Tools | Search this Thread |
|
#1
05-02-2010
| |||
| |||
| Delegate Control of OU in AD 2008
I have a 2008 Active Directory mycompany.local NewYork Computers Groups Users So I want to Delegate control Of the NewYork OU to the NYIT security group and for those permissions to apply to all OUs under New York. I just want to eliminate the ability to create users. They can reset and change passwords, edit account info, disable and enable accounts. I did: Right click New York Select Delegate Control Add DOMAIN\NYIT select "Delegate the following common tasks:" Select the following permissions Reset user passwords and force password change at next logon Read all user information Generate Resultant Set of Policy (Planning) Create, delete and manage groups Modify the membership of a group Manage Group Policy Links Generate Resultant Set of Policy (Logging) Reset inetOrgPerson passwords and force password change at next logon Read all inetOrgPerson information But it seems the members were unable to reset passwords or enable accounts. Whats the best way to do this? thanks  |
|
#2
05-02-2010
| |||
| |||
| Re: Delegate Control of OU in AD 2008
Hello Roger, That is the way to do it. Are the accounts they try to reset the password higher level accounts than themself? See here about allowing account lockout: http://support.microsoft.com/kb/294952/en-us Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > I have a 2008 Active Directory > > mycompany.local > NewYork > Computers > Groups > Users > So I want to Delegate control Of the NewYork OU to the NYIT security > group and for those permissions to apply to all OUs under New York. I > just want to eliminate the ability to create users. They can reset and > change passwords, edit account info, disable and enable accounts. > > I did: Right click New York > Select Delegate Control > Add DOMAIN\NYIT > select "Delegate the following common tasks:" > Select the following permissions > Reset user passwords and force password change at next logon > Read all user information > Generate Resultant Set of Policy (Planning) > Create, delete and manage groups > Modify the membership of a group > Manage Group Policy Links > Generate Resultant Set of Policy (Logging) > Reset inetOrgPerson passwords and force password change at next logon > Read all inetOrgPerson information > But it seems the members were unable to reset passwords or enable > accounts. > > Whats the best way to do this? > > thanks > |
|
|
| Thread Tools | Search this Thread |
| |
Similar Threads for: "Delegate Control of OU in AD 2008" | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Delegate control of OU | aconti | Active Directory | 2 | 06-11-2009 12:39 AM |
| Delegate control in ADUC | Cyborg | Active Directory | 7 | 31-10-2008 05:55 AM |
| Delegate Control in Active Directory to allow group to unlock user accounts | Nino_1 | Active Directory | 4 | 02-11-2007 01:35 AM |
| Delegate Control to rename and add/remove computer from domain | Flash3200 | Windows Security | 4 | 01-03-2007 10:41 PM |
| Delegate Control to users to update own Personal Information | Colin | Active Directory | 9 | 03-11-2005 04:47 AM |
