Re: Unable to delegate "Reset user passwords and force password change at next logon"




Hello Trust,

See here abouyt the minimum needed permisisons:
http://support.microsoft.com/kb/296999

Also make sure they are NOT members of account operators group, where the AdminSDHolder will reset the permissions hourly.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hi all,

Hope someone can help me out - I'm scratching my head about this one.

I'm doing my MCITP studies and I'm having problems with delegation.

I have a Windows 2008 Server R2 based Active Directory domain
contoso.com :). I've created a PEOPLE OU that has 5 user acccounts,
and a security group HELPDESK that has some of these accounts as
members.

I've selected the PEOPLE OU, run the delegation of control wizard and
delegated the "Reset user passwords and force password change at next
logon" task to the HELPDESK group.

Simple enough. I've checked the permissions on the PEOPLE OU and the
delegation wizard has added the following:

Allow CONTOSO\HELPDESK SPECIAL ACCESS for pwdLastSet
WRITE PROPERTY
READ PROPERTY
Allow CONTOSO\HELPDESK Reset Password

The problem is that the delegation does not work. I've tested this by
logging on with a user account in the HELPDESK group and attempting to
reset the password of one fo the user accounts in the PEOPLE OU.

The reset password dialog box shows the "User must change password at
next logon" check box grayed out. Attempting to reset the password
results in an error message "Windows cannot complete the password
change... Access is denied"

I just can't get it to work. The user accounts in the PEOPLE OU are
standard users. Any ideas on this one?



.



Relevant Pages

  • Re: Delegation - Password Reset - Access Denied
    ... If you go to properties of an AD object, select the security tab and click ... on advanced you should be on the permissions tab. ... WARNING - Any implicit permissions defined will be lost and reset back to ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Account reset not working...
    ... "Jorge Silva" wrote: ... access to reset all users accounts in the domain. ... delegation wizard. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Account reset not working...
    ... "Jorge Silva" wrote: ... access to reset all users accounts in the domain. ... delegation wizard. ... Shouldn't that have only given the reset permission ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Account reset not working...
    ... access to reset all users accounts in the domain. ... "Jorge Silva" wrote: ... delegation wizard. ... Shouldn't that have only given the reset permission ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation - Password Reset - Access Denied
    ... No the permissions are not what I expected. ... the user can then reset the password. ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)