Account Operator Cant Change/Reset Passwords?

J

JT

I have two users who are configured as account operators. It appears that
they cannot change or reset passwords on all AD accounts. There are some
accounts they get an access denied message on. I am trying to understand
what would cause this. I was under the impression account operators can
reset and change passwords and unlock accounts on all accounts except system
and administrator accounts (domain admin, enterprise admin, etc). It appears
this way when they try and reset their own account as well through ADUC.
 
A

Ashish

Account operator group allows its members to administer user and group
accounts for systems and domains. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units (OUs) of Active
Directory except the Builtin container and the Domain Controllers OU.

Note: Account Operators do not have permission to modify the Administrators
and Domain Admins groups, nor do they have permission to modify the accounts
for members of those groups.

Ashish

"JT" wrote:

> I have two users who are configured as account operators. It appears that
> they cannot change or reset passwords on all AD accounts. There are some
> accounts they get an access denied message on. I am trying to understand
> what would cause this. I was under the impression account operators can
> reset and change passwords and unlock accounts on all accounts except system
> and administrator accounts (domain admin, enterprise admin, etc). It appears
> this way when they try and reset their own account as well through ADUC.
>
>
>
 
J

JT

You havent told me anything I didnt already know. This is what I said. I
need to know why they cannot change the password on some accounts but they
can on other accounts contained in the same ou.


"Ashish" <Ashish@discussions.microsoft.com> wrote in message
news:F7B877F0-FCE5-483C-9341-27A672FAB9DF@microsoft.com...
> Account operator group allows its members to administer user and group
> accounts for systems and domains. By default, Account Operators have
> permission to create, modify, and delete accounts for users, groups, and
> computers in all containers and organizational units (OUs) of Active
> Directory except the Builtin container and the Domain Controllers OU.
>
> Note: Account Operators do not have permission to modify the
> Administrators
> and Domain Admins groups, nor do they have permission to modify the
> accounts
> for members of those groups.
>
> Ashish
>
> "JT" wrote:
>
>> I have two users who are configured as account operators. It appears that
>> they cannot change or reset passwords on all AD accounts. There are some
>> accounts they get an access denied message on. I am trying to understand
>> what would cause this. I was under the impression account operators can
>> reset and change passwords and unlock accounts on all accounts except
>> system
>> and administrator accounts (domain admin, enterprise admin, etc). It
>> appears
>> this way when they try and reset their own account as well through ADUC.
>>
>>
>>
 
Back
Top Bottom