Managing AD passwords w/o being logged into domain? 1

[gmiles]

Hi all,
I'm trying to set up a group of users with very specific permissions: I want them to be able to set and reset passwords for members of a domain, and that's it. They aren't normally part of the domain, they just want to log in to be able change and reset passwords. I think this is something that's easily done by creating a specific MMC console, but what I can't figure out is how to manage a Windows Server 2003 machine without actually being logged in to the domain.
If I install the Windows Server 2003 Administration Tools Pack, and go into the Active Directory management, it won't let me connect to the server since I'm not logged into the domain.
Any ideas? Or is there an easier way to set up a group to externally manage domain passwords without them being part of the domain?
Thanks!
-gmiles

 

[porkchopexpress]

Is it not possible to open an MMC and pass domain credentials using the RUNAS service?

or runas wrapper

http://www.palmersoft.co.uk/software/runasuser.asp

 

[itsp1965]

You can probably do this programatically. This was obtained from the MS Script center;

Set objUser = GetObject _
("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")

objUser.ChangePassword "i5A2sj*!", "jl3R86df"

I think if you execute the script using the RUNAS command, it should work. Hope this helps.

 

[gmiles]

I had tried to run as already but it hadn't worked... I eventually tried it a few more times and managed to get the syntax right. I'll give that app a shot. Thanks, guys!
-gmiles

 

[gmiles]

I had tried to run as already but it hadn't worked... I eventually tried it a few more times and managed to get the syntax right. I'll give that app a shot.

For the record, the syntax that got it to work was "runas /noprofile /env /netonly /userOMAIN.com\USER msc.exe"

Thanks, guys!
-gmiles