Re: Unable to delegate "Reset user passwords and force password change at next logon"

Hello Trust,

See here abouyt the minimum needed permisisons:
http://support.microsoft.com/kb/296999

Also make sure they are NOT members of account operators group, where the
AdminSDHolder will reset the permissions hourly.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi all,
>
> Hope someone can help me out - I'm scratching my head about this one.
>
> I'm doing my MCITP studies and I'm having problems with delegation.
>
> I have a Windows 2008 Server R2 based Active Directory domain
> contoso.com . I've created a PEOPLE OU that has 5 user acccounts,
> and a security group HELPDESK that has some of these accounts as
> members.
>
> I've selected the PEOPLE OU, run the delegation of control wizard and
> delegated the "Reset user passwords and force password change at next
> logon" task to the HELPDESK group.
>
> Simple enough. I've checked the permissions on the PEOPLE OU and the
> delegation wizard has added the following:
>
> Allow CONTOSO\HELPDESK SPECIAL ACCESS for pwdLastSet
> WRITE PROPERTY
> READ PROPERTY
> Allow CONTOSO\HELPDESK Reset Password
>
> The problem is that the delegation does not work. I've tested this by
> logging on with a user account in the HELPDESK group and attempting to
> reset the password of one fo the user accounts in the PEOPLE OU.
>
> The reset password dialog box shows the "User must change password at
> next logon" check box grayed out. Attempting to reset the password
> results in an error message "Windows cannot complete the password
> change... Access is denied"
>
> I just can't get it to work. The user accounts in the PEOPLE OU are
> standard users. Any ideas on this one?
>

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news: .com...
>
> Hello Trust,
>
> See here abouyt the minimum needed permisisons:
> http://support.microsoft.com/kb/296999
>
> Also make sure they are NOT members of account operators group, where the
> AdminSDHolder will reset the permissions hourly.
>
Hi Meinolf,

Thanks for your reply. The user accounts in question are not _currently_
members of "Protected Groups". I'll expand on this a bit later in this post.

The symptoms I'm having are not exactly the same as those in KB article you
quoted. I am unable to reset the user account passwords (access denied) AND
I am unable to select the "User must change passsword on next logon box"
(grayed out).

In addition the 3 required permissions mentioned in the KB match those set
on the PEOPLE OU which I included in my intial post.

If I remove the permissions and delegate the "create, delete and manage
user accounts" task instead to the HELPDESK group, then I'm able to reset
passwords as well as create/delete user accounts in the PEOPLE OU.

WRT to protected groups - one of the steps in my study guide was to place
Domain Users into Print Operators, so that the helpdesk accounts could logon
to the domain controller in order to run AD Users & Computers as part of the
exercise. The guide stressed that this is not recommended for production
environments

After I ran into problems I removed domain users from Print Operators and
built a member server and joined it to the contoso.com domain. I can logon
to this member server using the non-Admin accounts.

This has made no difference. I also had a look at;

http://support.microsoft.com/kb/932455

which seems applicable, but does not help

I'm stumped.

--
Peter <X-Files fan>