delegating control to users to only reset Passwords...?

[matrix101]

Hello,

I am attempting to delegate control to group "A" to ONLY reset passwords in the USERS OU. I created a custom MMC which only gives them the view to the USERS OU and allows them to only reset passwords.

Is there a Group Policy I can also apply to limit there ability to wonder around???

Also, could there be a better solution? Do you think this is secure enough? This will be for the HelpDesk and they usually try to hack around everything they can.

all comments are appreciated, thanks!

 

[capkirk]

here is a link to setting someone up with the ability to only UNLOCK accounts, I have used this since our management didnt want anyone else to be able to reset passwords for security reasons, but its nice to not be the only one who can unlock an account.

http://support.microsoft.com/?kbid=294952

 

[matrix101]

Thanks capkirk, that does come in handy but for my case I need them to be able to actually reset the users passwords when necessary. THanks!

 

[astaylor]

Just follow the same steps for delegating the unlock an account and substitute it for Resetting passwords. When you are following the delegate control wizard you can select the different permission your want to assign from the checklist.

To my knowledge there is no way to get around in the AD and do other tasks. I have played around with it alot and if you delegate a certain permission to a user they will access denied errors if they try to do anything else.


-drew

 

[SteveRoadWarrior]

One way would be to use a VBScript (or other command line method) to limit the HelpDesk operators' ability to poke around in the domain. You would probably need to build a front end for this. You could use real VB or AutoIT.

I haven't tried this code, but it should get you started:

http://www.computerperformance.co.uk/ezine/ezine11.htm#Changing a users password