Chapter 2 70-640 Practice 2 RRS feed

  • Question

  • I am trying to finish the Suggested Practices at the end of Chapter 2 of the 70-640 Microsoft book.  But I seem to be stuck..any help?

    The exercise wants me to log in Barbara Mayer and try to reset passwords for users inside the people OU.  I have delegated the Help Desk group...the  Reset User Passwords and Force Password change at Next Logon permission for the People OU.  Also Barbara Mayer is a member of the HelpDesk group.  But when she logs on, she cannot change the passwords of other users.

    I don't understand what I am doing wrong...can anyone help please?


    Tuesday, October 18, 2011 6:38 PM


  • This took me forever to figure out, but I finally found a solution to this.


    If you've got the second edition of the book, take a look at the bottom of page 85.  The paragraph under the bullets instructs you to add Domain Users to the Print Operators group.  Turns out that explicit memberships to Builtin Domain Local Security groups override delegated permissions from other groups (i.e. Global security groups, such as Help Desk).  Therefore, when you're logging in as Barbara Mayer, the system is seeing her as a Print Operator and not Help Desk.  When you try to reset a user's password, the system doesn't even pull up her Help Desk permissions.

    The solution is to add both Help Desk and Print Operators to the list when using the Delegate Control menu as Administrator to give permissions to reset user passwords in the User Accounts OU.  Instead of just adding Help Desk, add Help Desk AND Print Operators.  Worked like a charm for me.

    The reason this isn't such a big deal in production is because you would almost never add someone to the Print Operators group and then have that user logon directly to the DC.

    Good luck!

    • Proposed as answer by Dimitri C Monday, February 27, 2012 7:07 AM
    • Marked as answer by Mr. Wharty Wednesday, February 29, 2012 5:04 AM
    Wednesday, October 19, 2011 2:39 PM