none
Builtin Groups

    Question

  • We have a user who is a member of the builtin group called "Account Operators"  According to Microsoft's web page this group can do the following:

    Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

    The user in question, who is a member of this group only has 1 laptop.  She uses no other computer.   She has rebooted her laptop and she still is unable to reset passwords, move a user from one OU to another OU or re-enable an account.  

    I then Delegated the following rights for this single user.

    The user rebooted.  She still can't manipulate user accounts. Why?   


    mqh7

    Friday, July 17, 2015 4:44 PM

Answers

  • Hi mqh7,

    Thanks for your post.

    What's the prompt about failure of resetting password?

    It may be also caused by the use has not been granted the Read permission on the built-in OU in "Active Directory Users and Computers." For more details, you could refer to the link.

    https://support.microsoft.com/en-us/kb/932455

    If you have any other information related to the issue, please feel free to contact us.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mqh7 Monday, July 20, 2015 6:52 PM
    Monday, July 20, 2015 5:46 AM
    Moderator

All replies

  • Let's try to isolate an issue. Ask user to logon to domain controller and try to reset password for any regular user. If it works probably there is problem with security channel between DC and user workstation (I can assume that because you mentioned laptop which is probably sometime is connected via VPN etc.)

    Also try to run "whoami /all" to make sure that user is member of "Account Operators" group.

    Friday, July 17, 2015 7:53 PM
  • Hi mqh7,

    Thanks for your post.

    What's the prompt about failure of resetting password?

    It may be also caused by the use has not been granted the Read permission on the built-in OU in "Active Directory Users and Computers." For more details, you could refer to the link.

    https://support.microsoft.com/en-us/kb/932455

    If you have any other information related to the issue, please feel free to contact us.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by mqh7 Monday, July 20, 2015 6:52 PM
    Monday, July 20, 2015 5:46 AM
    Moderator