Taking ownership of user objects

Taking ownership of user objects: Posted by Hursh on August 23rd, 2004; Hi,

Is there any utility that can change the owner of multiple user objects in
Windows 2000 AD.

Just like there is option of changing the ACLs on child folders using the
"Replace permissions on child objects" in the advanced properties of a
folder, I could not find the same in the properties of an OU, nor I could
change the owner by selecting multiple users ( it does not show Properties
option for multiple users ).

I need to replace the owner to a group which I want to delegate the control
for daily day to day tasks(user pwd reset) I have been able to do so
successfully but the user objects whose owner is not this group, no member
of this group is able to reset pwd/change properties of those users.

Is there some way to do replace the owner on multiple user objects.

tia
Hursh; Posted by Miha Pihler on August 23rd, 2004; Hi,

There should be no need to change ownership of the object to delegate tasks
that you like to group of users. Actually it could be a security risk. If
you delegate ownership of e.g. all user objects (all users in you AD) to a
group of e.g. students they will be able to take full control over any user
object. Among other things this means that they will be able to change
passwords for e.g. CEO account, delete his account or change any other part
of his account.

Mike

"Hursh" <anonymous@msnews.microsoft.com> wrote in message
news:%23WRJJsNiEHA.704@TK2MSFTNGP12.phx.gbl...; Posted by Hursh on August 23rd, 2004; Hi,

I have not given the rights for deletion of account or addition of new
accounts. Regarding accounts for important ppl like CEO/VP, I have a
separate OU whose delegation I have not done. As for members of the group,
these are junior administrators, who need not be account operators or domain
admins. Since they require only access for reset pwd/change user properties,
as they do this on day to day basis and if domain admins/account operators
are removed, I would have to do these tasks.

Since only change of pwd and change of user properties is being allowed, I
do not see any harm in delegating the control on specific OUs to junior
administrators.

The only problem is how to reset the owner/ACLs of these users in the OU to
that set on the OU.

regards
Hursh

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:ug3deSOiEHA.3348@TK2MSFTNGP12.phx.gbl...; Posted by Miha Pihler on August 23rd, 2004; Hi,

If user is _owner_ of an object he can take full control of it. Same goes
for file system -- any file that I am owner of, but I have e.g. only read
permissions, I can take full control of.

need to reset user's passwords.

Now select OU that you would like to delegate control to. Right click on it
and select "Delegate Control". In first window select group that you created
e.g. "Password Administrators" and click next. Here assign this group
appropriate permissions e.g. "Reset user password and force password change
at next logon". If you need additional tasks that are not on this list
select "Create a custom task to delegate" and click next twice. Here select
checkboxes "General and Property-specific". Select which properties users
can change...

This should be all that you need to do...

Mike

Similar Posts

Taking Ownership and Changing Permissions (Security & Administration) by cyanide00
Taking Ownership (Development Resources) by alon.simantov@gmail.com
Importing and assigning ownership to crm user (Windows CRM) by Kyaw
What xcacls.exe command will allow me to shift ownership to the user? (Windows Server) by Spin
windows 2003 server taking ownership of profiles folder (Windows 2003) by help