Guest JT Posted July 4, 2007 Posted July 4, 2007 I have two users who are configured as account operators. It appears that they cannot change or reset passwords on all AD accounts. There are some accounts they get an access denied message on. I am trying to understand what would cause this. I was under the impression account operators can reset and change passwords and unlock accounts on all accounts except system and administrator accounts (domain admin, enterprise admin, etc). It appears this way when they try and reset their own account as well through ADUC.
Guest Ashish Posted July 5, 2007 Posted July 5, 2007 RE: Account Operator Cant Change/Reset Passwords? Account operator group allows its members to administer user and group accounts for systems and domains. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Note: Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Ashish "JT" wrote: > I have two users who are configured as account operators. It appears that > they cannot change or reset passwords on all AD accounts. There are some > accounts they get an access denied message on. I am trying to understand > what would cause this. I was under the impression account operators can > reset and change passwords and unlock accounts on all accounts except system > and administrator accounts (domain admin, enterprise admin, etc). It appears > this way when they try and reset their own account as well through ADUC. > > >
Guest JT Posted July 5, 2007 Posted July 5, 2007 Re: Account Operator Cant Change/Reset Passwords? You havent told me anything I didnt already know. This is what I said. I need to know why they cannot change the password on some accounts but they can on other accounts contained in the same ou. "Ashish" <Ashish@discussions.microsoft.com> wrote in message news:F7B877F0-FCE5-483C-9341-27A672FAB9DF@microsoft.com... > Account operator group allows its members to administer user and group > accounts for systems and domains. By default, Account Operators have > permission to create, modify, and delete accounts for users, groups, and > computers in all containers and organizational units (OUs) of Active > Directory except the Builtin container and the Domain Controllers OU. > > Note: Account Operators do not have permission to modify the > Administrators > and Domain Admins groups, nor do they have permission to modify the > accounts > for members of those groups. > > Ashish > > "JT" wrote: > >> I have two users who are configured as account operators. It appears that >> they cannot change or reset passwords on all AD accounts. There are some >> accounts they get an access denied message on. I am trying to understand >> what would cause this. I was under the impression account operators can >> reset and change passwords and unlock accounts on all accounts except >> system >> and administrator accounts (domain admin, enterprise admin, etc). It >> appears >> this way when they try and reset their own account as well through ADUC. >> >> >>
Recommended Posts