2006-09-16 02:30:38 · 1 answers · asked by Charles 3 in Computers & Internet ➔ Security
There are two possible ways to proceed. You could add the help desk personnel to the Account Operators Built-In group. This will allow them to reset passwords, but will also allow them to create and delete accounts as well. If you don't want them to have that authority, here's one way that will work.
Note: The names specified below are for clarity. You can name the OU and Group anything you wish.
Create a new OU. Call it Hekp Desk. Create a new Domain Local Security Group in that OU. Call it PW Reset. Add the Help Desk staff (or a Global or Universal group that they are uniquely members of) to that group.
Right click the new Help Desk OU and select "Delegate Control" from the context menu to launch the Delegation of Control Wizard. Click Next.
In the "Users or Groups" screen, click Add.
In the Select Users, Computers or Groups screen, type PW Reset in the "Enter object names to select" box and click OK. This will take you back to the "Users or Groups" screen with the PW Reset group added. Click Next.
In the "Tasks to Delegate" screen, select the "Reset user passwords and force password change at next logon" and "Read all user information" tickboxes. Click Next.
In the "Completing the Delegation of Control Wizard" screen, verify your changes. If everything is correct, click Finish.
Verify that the Help Desk staff can now reset passwords, but cannot otherwise modify accounts (aside from any other rights already granted.)
2006-09-16 04:55:06 · answer #1 · answered by Bostonian In MO 7 · 0⤊ 0⤋