Hi there.

We have a group of IT Support lads in our department that need to be able to join new PC's to our domain, and also be able to reset and unlock users accounts in that domain. They are the only tasks they need to perform.

Unfortunately our AD expert has left us recently and we do not have another expert who can give us some details of how exactly to go about it.

If anyone can let me know how to achieve this i would be most greatful.

Thanks.

Aye up toploader, I'm just about to have a shower and put on some suitably street-cred threads (***, I'm 46 for crissakes) to go and attend the premier AND AFTER SHOW PARTY of dirty sanchez, the movie! (hence my sig).

I'll PM you my mobile and I can talk you through it tomorrow morning (Friday) - albeit slowly, as I'm off up St Mary St for lots of free booze after the screening ;)

Wait for tomorrow's western mail headline "Old IT codger duffed up by Nicky Piper for chatting up/learing at his missus in some posh do". That'll be me. (or it maybe Lucy Cohen's hubby - think Lembit Opik is safe, his missus is a right mwnter).

Thanks for that.

I have managed to get it all sorted.....except for one little thing.

I created a group called IT Support and they can join PC's to the domain, but when they reset passwords, the user must change at next logon box is greyed out. BUT they can reset the password, then go into the users details and tick the change password at next logon box under the account tab?!?!?!?!

Any ideas?

Thanks

I've been nosing around a bit on this one and asking colleauges if they have ever mnanaged it in AD. All say no. Bit of a pain, seeing as it was set to default in NT4, wasn't it?
I've also tried to make a custom mmc that would allow p/w reset with the force change in place, but failed miserably so far. I'll keep trying.

Looks like you are going to have to run with it for the time being, though there has to be a hack somewhere to set the default to "change at first sign on"

Hi there.

Just to let you know, I have managed to sort the problem (With a little help from the AD expert who left us a little while ago......:happy: :happy: )

You have to also allow permission to "read and write louckout time" in the properties tab of permission entries for the IT Support group.

Everything is now working as we want it.

Thanks for your help Snurfen.