2003 AD - Acct Ops can't unlock Acct Ops

[chipk]

I know this is by design, but I need to find a way to allow my help desk guys to unlock one another's accounts. We have 2 domain admins and we are the only ones who can unlock Account Operators' accounts, which kind of sucks on nights and weekends. I need to find a way to work around this. I am open to any method; I'm sure it's possible, it's just easier to ask than scour the web looking for a solution. Thanks!

 

[porkchopexpress]

Could you try using the delegate control wizard to give them this ability on the OU that contains their accounts?

You know what Jack Burton always says at a time like this...

 

[chipk]

Hmmm...not sure if that would work or not. I'll give it a try.

 

[porkchopexpress]

No i'm not either but it's worth a try.

You know what Jack Burton always says at a time like this...

 

[chipk]

That didn't work. Any other suggestions? I also created an account that was not in Acct Opers and attempted delegating control to it. This didn't work either. Still couldn't manage Acct OPers accounts.

 

[chipk]

I'm thinking removing my help desk folks from the Account Operators and using Delegation instead may be the solution. This way, I can create a generic account and place it in Account Operators and if they lock themselves out, they can use this generic account to unlock. I'll post the results if this works.

 

[porkchopexpress]

That might be the better soution i use delegation to allow certain users to change passwords here rather than making them account operators.

You know what Jack Burton always says at a time like this...

 

[porkchopexpress]

I thought it had been possible in the past it seems it's a change in 2003 server.

Starting with Windows 2000 SP4 and Windows Server 2003, Account Operators cannot modify account operators.

http://www.awprofessional.com/articles/article.asp?p=352986&rl=1

You know what Jack Burton always says at a time like this...

 

[chipk]

Ah, I goofed. When I first tried the delegation thing, I did not perform a gpupdate /refresh. I tried the delegation again on the same group that I have in Account OPerators, performed gpupdate from the DC, and then my help desk users were able to manage each other's accounts.

Kind of strange. I didn't think that had anything to do with Group Policy, which is why I didn't do the gpupdate at first. I guess this applies to any security changes on the containers and not just specific changes made in GPO.

 

[chipk]

I take that back, none of that actually worked.

One of my help desk users gave me bad information.

I'm back to square one.

 

[chipk]

I've actually worked out a solution. Sorry for all the nonsense posts.

Basically, I used Delegation for the Help Desk group to let them manage everyone else. I then created a generic account outside my Help Desk group and put it in Account Operators, but I also had to explicitly give it permissions on my Help Desk techs' User Account security tabs (I assume it wasn't inherited because of the elevated rights of the users). For normal calls, Help Desk techs will just use their own credentials to run ADUC. If they need to manage one another's accounts, they will have to RunAs with the generic Account Operator.

I understand the necessity for "least priveleged" mode, but what a pain!