I have two users who are configured as account operators. It appears that

they cannot change or reset passwords on all AD accounts. There are some

accounts they get an access denied message on. I am trying to understand

what would cause this. I was under the impression account operators can

reset and change passwords and unlock accounts on all accounts except system

and administrator accounts (domain admin, enterprise admin, etc). It appears

this way when they try and reset their own account as well through ADUC.

Account operator group allows its members to administer user and group

accounts for systems and domains. By default, Account Operators have

permission to create, modify, and delete accounts for users, groups, and

computers in all containers and organizational units (OUs) of Active

Directory except the Builtin container and the Domain Controllers OU.

 

Note: Account Operators do not have permission to modify the Administrators

and Domain Admins groups, nor do they have permission to modify the accounts

for members of those groups.

 

Ashish

 

"JT" wrote:

> I have two users who are configured as account operators. It appears that

> they cannot change or reset passwords on all AD accounts. There are some

> accounts they get an access denied message on. I am trying to understand

> what would cause this. I was under the impression account operators can

> reset and change passwords and unlock accounts on all accounts except system

> and administrator accounts (domain admin, enterprise admin, etc). It appears

> this way when they try and reset their own account as well through ADUC.

>

>

>

You havent told me anything I didnt already know. This is what I said. I

need to know why they cannot change the password on some accounts but they

can on other accounts contained in the same ou.

 

 

"Ashish" <Ashish@discussions.microsoft.com> wrote in message

news:F7B877F0-FCE5-483C-9341-27A672FAB9DF@microsoft.com...

> Account operator group allows its members to administer user and group

> accounts for systems and domains. By default, Account Operators have

> permission to create, modify, and delete accounts for users, groups, and

> computers in all containers and organizational units (OUs) of Active

> Directory except the Builtin container and the Domain Controllers OU.

>

> Note: Account Operators do not have permission to modify the

> Administrators

> and Domain Admins groups, nor do they have permission to modify the

> accounts

> for members of those groups.

>

> Ashish

>

> "JT" wrote:

>

>> I have two users who are configured as account operators. It appears that

>> they cannot change or reset passwords on all AD accounts. There are some

>> accounts they get an access denied message on. I am trying to understand

>> what would cause this. I was under the impression account operators can

>> reset and change passwords and unlock accounts on all accounts except

>> system

>> and administrator accounts (domain admin, enterprise admin, etc). It

>> appears

>> this way when they try and reset their own account as well through ADUC.

>>

>>

>>