Discussion:
Account Operator Cant Change/Reset Passwords?
(too old to reply)
JT
2007-07-04 15:41:16 UTC
Permalink
I have two users who are configured as account operators. It appears that
they cannot change or reset passwords on all AD accounts. There are some
accounts they get an access denied message on. I am trying to understand
what would cause this. I was under the impression account operators can
reset and change passwords and unlock accounts on all accounts except system
and administrator accounts (domain admin, enterprise admin, etc). It appears
this way when they try and reset their own account as well through ADUC.
Ashish
2007-07-05 07:14:00 UTC
Permalink
Account operator group allows its members to administer user and group
accounts for systems and domains. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units (OUs) of Active
Directory except the Builtin container and the Domain Controllers OU.

Note: Account Operators do not have permission to modify the Administrators
and Domain Admins groups, nor do they have permission to modify the accounts
for members of those groups.

Ashish
Post by JT
I have two users who are configured as account operators. It appears that
they cannot change or reset passwords on all AD accounts. There are some
accounts they get an access denied message on. I am trying to understand
what would cause this. I was under the impression account operators can
reset and change passwords and unlock accounts on all accounts except system
and administrator accounts (domain admin, enterprise admin, etc). It appears
this way when they try and reset their own account as well through ADUC.
JT
2007-07-05 12:33:31 UTC
Permalink
You havent told me anything I didnt already know. This is what I said. I
need to know why they cannot change the password on some accounts but they
can on other accounts contained in the same ou.
Post by Ashish
Account operator group allows its members to administer user and group
accounts for systems and domains. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units (OUs) of Active
Directory except the Builtin container and the Domain Controllers OU.
Note: Account Operators do not have permission to modify the
Administrators
and Domain Admins groups, nor do they have permission to modify the accounts
for members of those groups.
Ashish
Post by JT
I have two users who are configured as account operators. It appears that
they cannot change or reset passwords on all AD accounts. There are some
accounts they get an access denied message on. I am trying to understand
what would cause this. I was under the impression account operators can
reset and change passwords and unlock accounts on all accounts except system
and administrator accounts (domain admin, enterprise admin, etc). It appears
this way when they try and reset their own account as well through ADUC.
Loading...