Hi All

I am trying to delegate the function of changing passwords to a non
administrator.I created a custom console containing the OU I want him to
manage, I ran the delegation wizard, saved the console, deployed it, and
when he tries to apply a password change, he gets access denied.

What else need to happen for this to work?

Any help would be appreciated.

Thank You in advance

Marc

Marc , Did you delegate the Rest Password right?

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/windows2000...delegsteps.asp

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:erDeZbYAEHA.2576@TK2MSFTNGP11.phx.gbl...

Hi Christoffer

Yes I set the Reset Password Right. Checked the advanced properties to make
sure and it's there. It only works if I make him member a member of "Domain
Admins: or the local "Administrators" group.

Anything else I can try?

Regards
Marc

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:uPC0QdYAEHA.1456@TK2MSFTNGP09.phx.gbl...

Mark if the particular user try to do so in AD Users and Computer for an
account in the delegated ou, dose same thing happen?

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:%239gy8jYAEHA.3456@TK2MSFTNGP09.phx.gbl...

Chistoffer

It does the same thing no matter how I try.

Marc

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:u92S3rYAEHA.1464@tk2msftngp13.phx.gbl...

Do you have more then once Domain Controller, this may can be a replication
problem.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:%23fz8w%23YAEHA.3284@TK2MSFTNGP09.phx.gbl...

Christoffer

I checked the event logs on both DC's and all looks good. Added a line to
the login script and the updated script replicated immediately.

Marc

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:eAV9xMZAEHA.2576@TK2MSFTNGP11.phx.gbl...

Have you done other changes to the ACL within the Directory as you know?

Lets have a look the particular delegated users Effective Permissions at an
object in the Delegated OU.

Right click one of the users in the OU that you that hi should be available
to rest the password for. Click Security Tab, and Click Advanced, then Click
the Effective Permissions Tab, Select the particular users you have delegate
the control to and se what you get in the list below.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:%231EzNmZAEHA.3712@tk2msftngp13.phx.gbl...

Christoffer

The user I have delegated reset password to shows up in the security of the
OU but not in the security properties of the individual users in that OU. I
have to modify each single user setting and check off "Allow inheritable
permissions from the parent to propagate to this object"

The question now becomes how do I set that setting globally so that I do not
need to do each object individually and then have to remember to do each new
one?

Marc


Chriss3" <noSpamHere@chrisse.se> wrote in message
news:Os$ivxZAEHA.1796@TK2MSFTNGP12.phx.gbl...

Hi Marc.

Navigate to the Security tab for the particular OU, Make sure the Delegated
Permission are shown up in the ACL. Click Advanced Buttom.The ACL are
displayed again but in Advanced more. notice the Apply To column, Make sure
the delegated user or group has been assigned Child Objects Only if you want
so. And apply the settings.

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:O5HfNZkAEHA.3944@TK2MSFTNGP11.phx.gbl...

Hi Chistoffer

There is no Reset or Change Password in the available permissions listed
when "Child Objects Only" is selected. I tried to grant "full Control" to
"Child Objects Only" and that didn't do it either.

Funny thing is if I create another OU in the Delegated OU, the permissions
will be inherited to the container(OU) but not to any users that get moved
into it or created within it.

Marc

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:upGpjqsAEHA.1700@TK2MSFTNGP12.phx.gbl...

Hi Marc it should be inherited. Do you know if the ACL have been changed
from the defaults at the Domain Node? (This is a kind hard to support , but
I don't give it up) You can e-mail at christoffer.andersson@_nospam
replace "_nospam" with itsystem.se you may can take some print screens at
the ACLs.

Have nice weekend


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

"Marc" <Marc@nospam.com> skrev i meddelandet
news:ej5x2CvAEHA.3348@TK2MSFTNGP11.phx.gbl...

Marc says...

instead of going through the graphical interface, would you be able to run
dsacls out of the support tools against the OU and provide us with the result?
It shows exactly what rights are set in the ACE of that OU.

e.g.
dsacls "ou=companyuser,dc=company,dc=com"

Gruesse - Sincerely,

Ulf B. Simon-Weidner

Hi Simon

Here are the results.The delegated group is help_desk. Hope this helps.

Regards;
Marc

Access list:

Effective Permissions on this object are:

Allow STELPIPE\Domain Admins FULL CONTROL

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS

LIST CONTENTS

Allow STELPIPE\Enterprise Admins FULL CONTROL

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS

LIST CONTENTS

Allow BUILTIN\Administrators SPECIAL ACCESS

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

LIST OBJECT

CONTROL ACCESS

Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Allow NT AUTHORITY\SYSTEM FULL CONTROL

Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

LIST OBJECT

CONTROL ACCESS

Allow STELPIPE\Enterprise Admins FULL CONTROL <Inherited
from parent>

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>

LIST CONTENTS

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>

LIST CONTENTS

Allow BUILTIN\Account Operators SPECIAL ACCESS for
computer

CREATE CHILD

DELETE CHILD

Allow BUILTIN\Account Operators SPECIAL ACCESS for group

CREATE CHILD

DELETE CHILD

Allow BUILTIN\Print Operators SPECIAL ACCESS for
printQueue

CREATE CHILD

DELETE CHILD

Allow BUILTIN\Account Operators SPECIAL ACCESS for user

CREATE CHILD

DELETE CHILD

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
groupType

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
displayName



WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for Public
Information

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for Public
Information <Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>

WRITE PROPERTY



Permissions inherited to subobjects are:

Inherited to all subobjects

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS

LIST CONTENTS

Allow STELPIPE\Enterprise Admins FULL CONTROL

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS

LIST CONTENTS

Allow BUILTIN\Administrators SPECIAL ACCESS

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

LIST OBJECT

CONTROL ACCESS

Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited fr

om parent>

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

LIST OBJECT

CONTROL ACCESS

Allow STELPIPE\Enterprise Admins FULL CONTROL <Inherited
from

parent>

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited fr

om parent>

LIST CONTENTS

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited fr

om parent>

LIST CONTENTS

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
groupType

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
displayName



WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for Public
Info

rmation

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
Personal In

formation

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for Public
Info

rmation <Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
Personal In

formation <Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
groupType

<Inherited from parent>

WRITE PROPERTY

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS for
displayName

<Inherited from parent>

WRITE PROPERTY



Inherited to group

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited fr

om parent>

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to user

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited fr

om parent>

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited fr

om parent>

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to group

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited fr

om parent>

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to user

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
Infor

mation <Inherited from parent>

READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account
Res

trictions <Inherited from parent>

READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
Membe

rship <Inherited from parent>

READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General
Inf

ormation <Inherited from parent>

READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote
Acce

ss Information <Inherited from parent>

READ PROPERTY

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to group

Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to user

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to group

Allow STELPIPE\Exchange Enterprise Servers SPECIAL ACCESS

READ PERMISSONS

LIST CONTENTS

READ PROPERTY

LIST OBJECT

Inherited to user

Allow STELPIPE\Help_Desk Reset Password

The command completed successfully



Thanks


"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
message news:MPG.1ab316f85e8e54a989a74@msnews.microsoft.co m...

Marc says...

as far as I know you'll also need the right to read and write to the pwdLastSet
attribute. See my what I tested and it's working:

Inherited to user
Allow NWTRADERS\tuser Reset Password
Allow NWTRADERS\tuser SPECIAL ACCESS for pwdLastSet
WRITE PROPERTY
READ PROPERTY

You can set those rights easily by going to the Delegation Wizard, then on the
Tasks to Delegate page select the checkbox "Reset user passwords and force
password change at next logon".

Hope this helps.

Gruesse - Sincerely,

Ulf B. Simon-Weidner