Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Unable to delegate "Reset user passwords and force password change at next logon"

662 views
Skip to first unread message

Trust No One

unread,
May 3, 2010, 2:11:39 AM5/3/10
to
Hi all,

Hope someone can help me out - I'm scratching my head about this one.

I'm doing my MCITP studies and I'm having problems with delegation.

I have a Windows 2008 Server R2 based Active Directory domain
contoso.com :). I've created a PEOPLE OU that has 5 user acccounts,
and a security group HELPDESK that has some of these accounts as
members.

I've selected the PEOPLE OU, run the delegation of control wizard and
delegated the "Reset user passwords and force password change at next
logon" task to the HELPDESK group.

Simple enough. I've checked the permissions on the PEOPLE OU and the
delegation wizard has added the following:

Allow CONTOSO\HELPDESK SPECIAL ACCESS for pwdLastSet
WRITE PROPERTY
READ PROPERTY

Allow CONTOSO\HELPDESK Reset Password

The problem is that the delegation does not work. I've tested this by
logging on with a user account in the HELPDESK group and attempting to
reset the password of one fo the user accounts in the PEOPLE OU.

The reset password dialog box shows the "User must change password at
next logon" check box grayed out. Attempting to reset the password
results in an error message "Windows cannot complete the password
change... Access is denied"

I just can't get it to work. The user accounts in the PEOPLE OU are
standard users. Any ideas on this one?


Meinolf Weber [MVP-DS]

unread,
May 3, 2010, 2:44:33 AM5/3/10
to

Hello Trust,

See here abouyt the minimum needed permisisons:
http://support.microsoft.com/kb/296999

Also make sure they are NOT members of account operators group, where the
AdminSDHolder will reset the permissions hourly.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Trust No One�

unread,
May 3, 2010, 3:46:55 AM5/3/10
to

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d102b88...@msnews.microsoft.com...

>
> Hello Trust,
>
> See here abouyt the minimum needed permisisons:
> http://support.microsoft.com/kb/296999
>
> Also make sure they are NOT members of account operators group, where the
> AdminSDHolder will reset the permissions hourly.
>
Hi Meinolf,

Thanks for your reply. The user accounts in question are not _currently_
members of "Protected Groups". I'll expand on this a bit later in this post.

The symptoms I'm having are not exactly the same as those in KB article you
quoted. I am unable to reset the user account passwords (access denied) AND
I am unable to select the "User must change passsword on next logon box"
(grayed out).

In addition the 3 required permissions mentioned in the KB match those set
on the PEOPLE OU which I included in my intial post.

If I remove the permissions and delegate the "create, delete and manage
user accounts" task instead to the HELPDESK group, then I'm able to reset
passwords as well as create/delete user accounts in the PEOPLE OU.

WRT to protected groups - one of the steps in my study guide was to place
Domain Users into Print Operators, so that the helpdesk accounts could logon
to the domain controller in order to run AD Users & Computers as part of the
exercise. The guide stressed that this is not recommended for production
environments :)

After I ran into problems I removed domain users from Print Operators and
built a member server and joined it to the contoso.com domain. I can logon
to this member server using the non-Admin accounts.

This has made no difference. I also had a look at;

http://support.microsoft.com/kb/932455

which seems applicable, but does not help :(

I'm stumped.

--
Peter <X-Files fan>


0 new messages