Changing User passwords for domain on local machine

[AcornD]

Is there a way / Tool available so that in school we could alow the teacher to reset the pupils password. so that the dont have to keep comming to me and getting me to change it for them with over 1400 pupils in school its a majour part of my day with the pupils constantly forgetting their passwords and getting locked out.

Thanks

 

[aftertaf]

Use delegation.....

*-Create a customised AD User console
*-Use the delegation wizard to give sufficient rights on Active Directory OUs
*-install admin pack on the teacher's PC . . .

shout if you need more details...

 

[AcornD]

How do i create a custom AD User Console

 

[aftertaf]

1- Type running mmc.exe at a command line.
2- On the Console menu, click Add/Remove Snap-in.
3- Click Add to display the installed snap-ins.
4- in the list, you find AD Users & Computers - add it

close the 'add' windows and you have the start of a personalised console...

Now, right click on the AD Users node (left panel of console), and choose the option resembling 'new view of task list' (i'm using a french OS, i cant remember the exact translation), this will open a wizard, letting you customise the view and what tasks can be carried out with your future console.....

play around with the different options to get a feel of what is available... and don't worry about user rights, that comes at the end.

When happy with your console, click the Console tab and then choose between the modes ( ideal one being 'User Mode - Limited Access, Single Window' )

(explanation from MS site:
________________________________
Author Mode: This mode allows the user access to all MMC functionality, including the ability to add and remove snap-ins, create new windows, and navigate all portions of the console tree.
User Mode - Full Access: This mode allows the user access to all MMC window management functionality and full access to the console tree. It does not allow the user to add or remove snap-ins or to change the console file options. Save commands are removed from the menu because changes that do not affect snap-in relationships are saved automatically.
User Mode - Limited Access, Multiple Window: This mode restricts the user's ability to open new windows or gain access to areas of the console tree that were not visible when the console file was saved. All restrictions in place on full-access user mode console files also apply. Multiple child windows are allowed, but users do not have the ability to close them.
User Mode - Limited Access, Single Window: This mode is similar to the mode above, except that there is only a single window and the controls for working with multiple windows are not present.
_________________________________________)

When finished, Click Save As on the Console menu : file will be an .msc file, you can send it via mail or stick it on a network share.....


Now, for the security aspect.....

return to AD USers and groups, choose the OU or domain(!!) that contains the accounts you want to allow your teachers to administer (what they administer is dealt with both in which functions you include in your MMC and via Active Directory rights...), and right click on the object (domain, OU...), choose delegation of control...

again a wizard opens up and guides you through the task of choosing which account(s) or group(s) are concerned, etc etc...


And the icing on the cake is installing the admin pack w2000 on the computer(s) that the user(s) will do their administrating on.....
the admin pack is on the windows 2000 server cd, in the tools directory (i think!)

good luck

david

 

[mwiner]

to create a custom AD User Console also known as a Task Pad. Start the MMC and add the AD Users and Computers snapin. expand your domain and select any of the OU's that you have created or the Users or Computers OU.
Now at the top go to Action > New Task Pad View. Follow the wizard to create a taskpad that you are looking for. At this point you can create particular tasks that the user can do (only if you have delegated them access to it). One thing to keep in mind: If you create a taskpad for your OU's and you want a taskpad for the Users and Computers OU you need to do it all again. For some reason they are treated differently.

I have created a taskpad for my Helpdesk so that they could do these tasks but I only wanted them to see the OUs and information that they needed. Plus give them the ability click a button to add a new user, change a password. The goal was to KEEP IT SIMPLE. The less they have to look at the better. If you only want them to see specific OU's you have to select the OU that you want them to see and "Add it to Favorites". When you create the task pad there is a button to naviage to a favorite.

After you create the layout and all the buttons that you want - SAVE IT!!!!! Call it something like "Task Pad Template" Put that saved file somewhere safe. Now save as a different name. Go to File > Options and set the console mode to "User Mode" I use limited access single window. To finish now go to View > Customize and turn off any tool bars, trees, menus, etc, turn on Status Bar. Now you have a very stripped down and simple taskpad. Save it and test it out.

If you need to make any changes from this point they need to be made on the template and do that last section.

Here is a screenshot of what my taskpad looks like for my helpdesk. Depending on what is selected in the right pane it will determine what options are available on the left.

 

[aftertaf]

CORRECTION:
the admin pack is on the windows 2000 server cd, in the i386 folder .... adminpak.msi

 

[AcornD]

This is ok for windows 2000 and iv tried it and it works a treat but the teachers desktop machines are windows XP and the options above are not available. any ideas on windows XP ???

 

[mwiner]

you have to install the admin pack from the Windows Server 2003 CD.

Or you can download it.

Install that admin pack on the Windows XP clients.

 

[bran2235]

Ok, I've created my custom MMC but my helpdesk MMC still shows the "Delegate Control" link on the left-hand side. How do I remove this?

I don't want them to be able to delegate control...


Thanks!!!
Great post.

Brandon