Active Directory related problem

By johnny_mne ·
I need to allow a few users to remotly access domain controler, but the only thing that they should be allowed to do for now is to reset passwords. Does anyone have an idea on how to do that?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It's what the Delegate Control Wizard is for

by neilb@uk In reply to Active Directory related ...

in Active directory Users and Computers. Look under the Action drop-down.

Highlight the OU in question (where they are aloowed to do it), open the wizard, select the group of users to who you wish to give password-chage permission (who is allowed to do it), check "Reset user passwords and force password change at next logon" (what they are allowed to do) and that's that. The wizard will add the correct three permissions.

No point in trying to get complicated!

Neil :)

Collapse -

Another issue

by johnny_mne In reply to It's what the Delegate Co ...

Delegate control part works great, thanks! As you can see, i'm a beginer... Now i have a different problem... what is the best way to allow them remote access to domain controler? We ussually use -My computer\ properties\ Remote\ Select remote users option, but that doesn't seem to work for them... Maybe through user rights assignment? or some third option... ?

Collapse -

can't make it work...

by johnny_mne In reply to Another issue

they can't login via remote desktop connection until i put them in administrators group... but when i do that, the delegate control option doesn't have any effect... they can do everything...

Collapse -

they don't need access onto the Domain Controller

by neilb@uk In reply to Another issue

in fact, they DON'T WANT acces to the DC!

They should be able to change the passwords using Active Directory Users and Computers from the Windows admin tools or you can set up a custom MMC by running mmc, adding the AD elements in File | Add Snap-in and add the AD snap-in. You can then navigate to the OU that the uses are in and save the options for the users who you're giving rights to.

Have a play with MMC and post again if you have issues.

Neil :)

Collapse -

thanks a lot, I'll check it out!

by johnny_mne In reply to they don't need access on ...

But it would be perfect if I could make it so that they can access remotly AND just reset passwords... I didn't explain, those users will be in charge of password reseting for now, until they get to know AD a little better... eventually , they will be doing much more than that...

Collapse -

what's with the remote access? no remote access needed

by CG IT In reply to thanks a lot, I'll check ...
Collapse -

Could you elaborate on that?

by johnny_mne In reply to what's with the remote ac ...

How else can I access Active Directory? We only access localy (directly on the server) and remotly (using remote desktop connection). I know, i'm new at this... So be patient :) Or if you have any links that could help me...

Collapse -

I NEVER log onto a DC

by neilb@uk In reply to thanks a lot, I'll check ...

unless I need to look at the DC itself.

To make any changes to AD, I just use the Windows 2003 or Windows 2008 Admin Tools for 2003 from my workstation. For password changes, I use Active Directory Users and Computers.

You can also use MMC and add the Active Directory Users and Computers snap-in and get the same thing.


No WAY do you want to let users onto any servers.

Related Discussions

Related Forums