+ Post New Thread
Results 1 to 13 of 13
Network and Classroom Management Thread, Teachers Changing Passwords in Technical; Hi All Sorry to bring up a old topic. But im having problems allowing teachers to change students passwords. I ...
  1. #1

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12

    Teachers Changing Passwords

    Hi All
    Sorry to bring up a old topic. But im having problems allowing teachers to change students passwords. I have 2 lots of software which is supposed to do this. However neither is working. When you type in the username it auto completes for you. Suggesting it has access to the OU of which i have delegated permissions. However when it goes to change the password one software says access denied the other says something about a except of a target of an invcation.

    Anyone have any suggestions. Im thinking some kind of group policy stopping it ? but dont know where to start.

    Cheers for any help.

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by Chunks_ View Post
    Hi All
    Sorry to bring up a old topic. But im having problems allowing teachers to change students passwords. I have 2 lots of software which is supposed to do this. However neither is working. When you type in the username it auto completes for you. Suggesting it has access to the OU of which i have delegated permissions. However when it goes to change the password one software says access denied the other says something about a except of a target of an invcation.

    Anyone have any suggestions. Im thinking some kind of group policy stopping it ? but dont know where to start.

    Cheers for any help.
    From what I've seen that error is generally if you're trying to use the wrong code to change passwords, or older methods, a lot of the methods require the old password to change the newpassword, (aka like windows change password), not AD side change password.

    Obvious other things to check, if you have a limit on password changes/days before changes/complexity etc.

    Could be a few things without seeing code/errors a bit more

    Steve

  3. #3

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,796
    Thank Post
    351
    Thanked 1,274 Times in 870 Posts
    Blog Entries
    4
    Rep Power
    1126
    What software are you using that is giving you these problems? [What are the two packages?]

  4. #4


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,689
    Thank Post
    352
    Thanked 794 Times in 714 Posts
    Rep Power
    346
    Eliminate the software by trying it as an admin, and if that works you know you're looking at user/ad permissions as opposed to coding issues.

  5. #5

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12
    Thanks for your replies.... Yeah sorry should have added more information.

    If you use the software as an admin it works fine.
    The two peices of sofware are Burconix password changer and wisesofts password control. (both suggested on edugeek )

    I have also put my computer and the test user into an OU and blocked inheritance to check for issues with gp .. still doesnt work so dont think its that now.

    Also there is no password policy except larger than 6chars so the one im entering would be fine.
    Last edited by Chunks_; 3rd May 2012 at 09:30 AM.

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by Chunks_ View Post
    I have also put my computer and the test user into an OU and blocked inheritance to check for issues with gp .. still doesnt work so dont think its that now.

    Also there is no password policy except larger than 6chars so the one im entering would be fine.
    You have to remember that LDAP allows most/all users to see people within the OU for items like outlook address book. In terms of editting it, maybe the permissions aren't working? Is it worth trying to give permissions to a random (non-viable through outlook etc) OU, and see if they can still autocomplete names in that OU.

    Steve

  7. #7

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12
    Not sure what you mean by non-viable. I dont have access to the email server as we are part of a wider group and that has been relocated to the head oriface!!!

  8. #8

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by Chunks_ View Post
    Not sure what you mean by non-viable. I dont have access to the email server as we are part of a wider group and that has been relocated to the head oriface!!!
    As an example, our student/teachers OUs are all searchable through outlook, for sending emails. However our service accounts aren't. "but" if you've given the teacher full OU access (for that one) they should be able to autocomplete names on that too.

    Just to ensure you're not overlapping "normal" permissions to view names, with "full control" for passwords. (You don't need access to outlook for this)

    If that made any sense?

    Steve

  9. #9

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Off-hand I think any domain account can validate whether another domain user exists unless default perms in AD have been modified. The AD permissions required to allow some group password changing (plus I hope simultaneous unlocking) are quite fiddly. I made my own code for this and it requires more than just standard Delegation i.e. I had to additionally set some specific perms for the password resetting group.

  10. #10

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12
    Ok Just to add some more info then. It auto completes users from directories that i haven't delegated access too. Which probably follows that this a bit of a red herring and maybe there is no access at all. I gave the test user full rights to that Organisation Unit and it still didnt work.

    Not sure if i said but i have also put the user and the computer into a ou that blocks all inherant policies. still not working.
    Last edited by Chunks_; 3rd May 2012 at 11:40 AM.

  11. #11

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12
    Ok so i have sorted but as part of it i need to set the interitance on the child objects (users) to inherit from the parent OU's (dont fancy ticking that box individually on 1500 users... anyone got a script i can use to do this? found one on the net but it was fully of errors...

  12. #12

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Very bestest advice: STOP until you completely understand why all those use objects don't have the inheritance tick.

    I don't have a script, but one reason for inheritance being blocked is the adminSDHolder stuff discussed in KB817433 which has a Microsoft script in Method 1 to fix that issue (I've used it in the past and it worked for me). There are clearer explanations of the adminSDHolder story in other places if you net-search.

    If you have a different cause then it's clearly possible to adapt that script to just reinstate inheritance on all users under a given OU or similar, but don't look at me because VBS just isn't my thing and I'd probably mangle the syntax and delete your AD. That said at a glance I think you just need to change the oCmd.CommandText query to point to the right OU, lose the adminCount condition, comment out the SetAdminCount line in the while loop, plus if you're a really tidy type remove the redundant bits and change what it tells you it's doing, but it's VBS so get an expert...
    Last edited by PiqueABoo; 3rd May 2012 at 11:25 PM.

  13. Thanks to PiqueABoo from:

    Chunks_ (4th May 2012)

  14. #13

    Join Date
    Feb 2011
    Posts
    91
    Thank Post
    6
    Thanked 24 Times in 15 Posts
    Rep Power
    12
    Ok Thanks.... think i will use the adminSDholder to get the settings down to the user ... as per the KB article. Thanks

SHARE:
+ Post New Thread

Similar Threads

  1. changed password, website not working!
    By ianaddisonuk in forum EduGeek Joomla 1.0 Package
    Replies: 2
    Last Post: 20th June 2008, 08:32 AM
  2. Change Password Permissions
    By Jamie_a in forum Windows
    Replies: 6
    Last Post: 17th December 2007, 03:20 PM
  3. Icon to Link to Change Password
    By BKGarry in forum Windows
    Replies: 3
    Last Post: 11th August 2007, 09:45 PM
  4. Unable to change password
    By danIT in forum Mac
    Replies: 5
    Last Post: 11th January 2007, 04:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •