I was doing some AD redesign work for a client this week, and I needed to move an Organisational Unit (OU). However the domain had other ideas;
Active Directory Domain Services
Windows cannot move object {OU-Name} because: Access is denied.
It wasn’t a rights issue, (I was an Enterprise Administrator).
Solution
As it turns out, it was the same problem I’d had back when Server 2008 first came out deleting an OU. Make sure you have enabled advanced features in Active Directory Users and Computers (View > Advanced Features). Then untick the following option;
You can now move the OU (Don’t forget to re-tick that option, once you’ve got it where you want it!)
Related Articles, References, Credits, or External Links
“You do not have sufficient privileges to delete {OU Name}, or this object is protected from accidental deletion”
Cause
In Windows domains you have the option to prevent an OU from accidental deletion so that even a Domain/Enterprise admin cannot delete it. That’s fine until you need to delete one.
Solution
To delete a protected OU
1. On the the Server (with administrative privileges).
2. Start > Run > dsa.msc {enter}
3. View > Advanced Features.
4. Right Click the OU > Properties > Object Tab.
5. Un-tick “Protect this object from accidental deletion”.
Related Articles, References, Credits, or External Links
This is a two part operation, firstly you need to give the user(s) the rights to change passwords, then give them the tools to do so.
Solution
Step 1: Grant the rights (Delegation of Control)
1. Whilst logged into a domain controller with administrative access, open “Active Directory Users and Computers” and create a group that you are going to allow password reset rights to. Note: In this example I’ve created it in the same OU, in practice you would probably create the group elsewhere in AD.
2. We are going to need to create a security group, give it a sensible name.
3. At this point I’m also going to create a test user – (you will see why later), in the same OU that I’m going to grant password reset rights to.
4. Right click the OU containing the users you want to grant password reset rights to (Or like in this example, the parent OU). Then select “Delegate Control”.
5. At the welcome screen > Next.
6. Add > Locate the group you created earlier > OK > Next.
7. Grant the “Reset user passwords and force password change at next logon” > Next.
8. Finish.
9. Finally add the user(s) you want to grant reset rights to to the group you created earlier.
Step 2 Give the user the tools – Option 1 (Create a Task Pad)
1. While still on your domain controller (or a machine with the RSAT tools Installed), Start > In the search/run box type mmc {enter}.
2. File > Add/Remove snap-in > Locate and add the “Active Directory Users and Computers” snap-in > Add > OK.
3. Right click the OU you are granting rights to > “New Taskpad View” (Note: you may need to turn on advanced view {view > Advanced options}).
5. Next.
6. Set as required > Next.
7. Leave on defaults > Next.
8. Add a name and description > Next.
9. Make sure the “Add new tasks…” is selected > Finish.
10. Next.
11. Menu command > Next
12. Select the test user you created above > Select “Reset Password” > Next.
13. This is what the user will see in their taskpad as an option > Next.
14. Select an icon > Next.
15. If you want to add anything else, leave the box ticked to re-run > Otherwise > Finish. Lets remove all the bits we don’t need > View > Customise > Untick everything > OK.
16. File > Options > Give the console a name > Select “User mode – limited access single window” > Untick “Allow the user to customise views” > Note: You might want to tick “Do not save changes to the console” > Apply > OK.
17. File > Save > Put the file somewhere you can find it.
18. Now your password admins can run this taskpad and have the “Reset password option”.
Note: For them to be able to run this on their client machines they need the following installing on their machines:
XP Clients and 2003 Server: adminpack.msi (you will find it in the system32 folder on your (2003)domain controllers.
VistaClients and 2008 Server: Install the Vista RSAT Tools (download).
Windows 7Clients and Server 2008 R2: Install the Windows 7 RSAT Tools (download).
Step 2 Give the user the tools – Option 2 (Use NTAdmin)
1. Yes its an old tool but it’s simple and it works! Good for help desk staff and technophobes! Download NTAdmin > When you run it, browse > select the user in question > OK.
2. Click ResetPW > take the default of “welcome”, or choose a new one > Yes > OK.
Related Articles, References, Credits, or External Links
A while back I did a job for a school, many weeks later their users have had to change their passwords. Nothing strange there, the problem is now their teachers DONT want to have their passwords changing at all.
For a single user you can simply edit the user object and set it to “Password Never Expires” for a LOT of users this can be more time consuming.
Solution
Warning: There is a caveat! If the user object(s) you are applying this to has the attribute “User must change password at next logon” then this option will be REMOVED.
This is because, if you try this on an individual user that has this option ticked, you will see this. doing this in bulk has the same effect, it just removes the “User must change password at next logon”. If you want to bulk set the password on all users, then carry this out that’s OK.
1. However – If your users do not have this ticked then you can set this option on an entire OU by executing the following command;
[box] dsquery user “OU={your target OU},DC={your domain},DC={your domain extension}” | dsmod user -pwdneverexpires yes [/box]
Update: Note: If your OU has more than 100 users in it you need to add the ‘-limit’ flag, and set it to a number greater than your actual amount of users, e.g.
[box] dsquery user “OU={your target OU},DC={your domain},DC={your domain extension}” -limit 2000 | dsmod user -pwdneverexpires yes [/box]
2. Now your users will have this option set.
Related Articles, References, Credits, or External Links
Original article written 10/11/11
Thanks to Pierre, for the update on the ‘limit’ flag.