[danoli]

I need to delegate control of some common tasks in our AD environment (2000/2003)

First, I am selecting the domain and choosing delegate control. I then selecting a group which I have created called reset user passwords.

I then select the Reset user passwords and force password change at next login option from the common tasks.

I then add a user as a member to the group and via a remote MMC console ask him to reset a password as a test. He inputs the new pasasword but it fails saying Access Denied

Any ideas?

 

[Squashman]

Check the properties of the domain object. On the Security tab Select the advanced button. Look at the Permissions tab. Do you see the group you created and does it say Password Reset under the permissions column.

 

[efigueroa]

You could try setting it up as a custom task and give them read write permissions. Otherwise as far as I know reset password and force password change is all you need if you're using the Delegate Control Wizard. You could also try checking that there are no parent permissions overwriting the permissions on the child group you created. And if you're interested in learning how to dive a bit deeper into AD and Windows 2003 Computer Associates is hosting an event called CA World that will have breakout sessions covering these topics. You can get information here www.ca.com/caworld/