Delegate Control for Password Resets

I'm trying to delegate control to a specific AD Security Group so they can reset passwords for users within a specific OU.  I ran the Delegation of control wizard, added the group, did everything custom and followed the directions perfectly as described here:

http://support.microsoft.com/kb/296999 

Problem is, the users in that group can't actually do it.  The box is disabled for forcing the password to expire, and trying to reset the password produces access denied.

I'm doing the change from a Vista machine with the RSAT tools.  I have verified the permissions on the Security tab on the OU after making the change.  I ran a gpresult from the machine, and it is properly seeing the user in the necessary group.

I notice on Windows Server 2003, I can't see the security tab on an OU.  I tried removing the rights from the Vista RSAT, then adding on the Server 2003.  When that occurs, I can see the permissions from my Vista machine so I know they are propogating properly.

Any ideas how I can debug where the problem lies?
rosederekjAsked:
Who is Participating?
 
PberConnect With a Mentor Solutions ArchitectCommented:
What if you look at the permissions of the User objects themselves?  Are they inheriting?  Are they trying to select to change a password of an Admin account?  AD will remove inheritance on certain types of Admin accounts.
 
See this regarding that:
http://support.microsoft.com/kb/817433 
 
 
0
 
PberSolutions ArchitectCommented:
If the group is new, you may want to try and logoff and logon again for that user.  I know you mentioned gpresult indicated the group membership, you may still want to try that.
Also depending on your AD architecture, you may need to wait for replication for the group membership and permissioning to fully replicate.
Other than that, as long as they have been delegated the "Reset Password" right on User Objects, that option should no longer be grayed out.
 
To see the security TAB, make sure you select View, Advanced Features in the ADUC MMC.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
rosederekjAuthor Commented:
Thanks for the links above - I did double-check and made sure I did things correctly.  I also found when reading about the Advanced, so can now see the Security tab on my 03 boxes.

My replication happens hourly, but after making my changes I forced replication to make my changes go across the DC's.  

The group has existed for almost a month.  I could have sworn when I first created this, I tested it with a member of the group and it worked.  Now, for whatever reason, it doesn't.  i thought it was tied to UAC somehow since that was recently enabled, but I get the same problem regardless if it is trying to run from XP or Vista.

Even from the machines I'm trying on - I view the security tab on the OU and it is set properly.  Just when I try to do it, no luck.
0
 
AmericomCommented:
See if these steps covers it.
These are the steps that I have tested to allow Admins group to ONLY reset user's password:

1. right click on the OU you want to delgate and select Delgation of Control Wizard
2. Add the Admins group and click next
3. Select the "Create a custom task to delgate" and click next
4. Select the "Only the following objects in the folder
5. Scoll down to the end and check "User objects" and click Next
6. Scoll down and check both "Change Password" and "Reset Password"
7. Click Next and click Finish.
0
 
PberSolutions ArchitectCommented:
You can also make sure the permission are correct by clicking the Effective Permissions TAB in the Advanced Security dialog of that OU and confirm that both the group as well as the users that are members of that group have the Reset Password right on User Objects.
0
 
rosederekjAuthor Commented:
I tried manually from a granular approach and just doing the steps above (just password reset and change).

Effective Permissions don't show anything checked.  That's a good sign with at least finding out what is wrong.

The permissions are set to inherit from the parent.  I had a thought that these users might be members of another group that is restricted to do that, but I want to be careful with removing permissions from this as it's not easy to rollback.  I was also taking the approach that I'm a domain admin and a domain user/authenticated user/everyone, so I don't think that applies.

The other thought is "apply these permissions to objects and/or containers within this container only" but not sure that would fix it.

So, Effective Permissions are blank for the NT group, but the security tab shows the correct permissions.
0
 
PberSolutions ArchitectCommented:
I've look at how my security looks for our helpdesk group that has reset password and pwdLastSet.  
  • The Reset Password right is applied onto User objects at the OU that holds the user objects.
  • The Read/Write pwdLastSet attribute is also applied onto User objects at the OU that holds the user objects (see attached)


pwdLastSet.JPG
0
 
rosederekjAuthor Commented:
What do your effective permissions look like for the group you are delegating to?
0
 
AmericomCommented:
If you are not familiar with security permission, using delgation would be a safer way to grant permission. Usually permission can be inherited but delgation will add the permission you want, unless "denied" access is granted. The steps I provided above will give you the proper permissions for the user to reset password of user account in the specific. Pber also shows the permission needed from his screen capture. Just make sure the user objects is selected under Apply to.
0
 
PberSolutions ArchitectCommented:
Weird, the group delegation doesn't show the effective permissions, but the members show the correct permissions.
0
 
AmericomCommented:
don't look at effective for comparison, it will be confused. Everyone has different set of effective permission depending what you want the group to do. Every group you grant access to will have it's default set of permission on the OU or AD then plus what other additional rights you granted or delgated.
In your case, you would concentrated on the security group that you want to work on. You can use delgation. Or you can simply right click on the OU and check the needed permissions, again, just make sure what is selected on the Apply to and etc., but usually messier as certain object do not show all the permissions as it usually depending on type type of object you are looking at as well as the type of permissions and where you are trying to apply the permission to....
0
 
rosederekjAuthor Commented:
I gave the group Full Control over that OU.  I can do anything else, create, delete, etc - but can't change passwords.  

I'll take a step back and try again tomorrow, has to be something I'm missing.
0
 
PberSolutions ArchitectCommented:
Unless there is an explicit deny in there that will override an allow, it should work.
 
So you right click a user and they can't select "Reset Password", or do they get access denied when they try?
0
 
PberSolutions ArchitectCommented:
You gave them Full Control over the OU?  Full control to what?  User Objects?
 
0
 
rosederekjAuthor Commented:
They get access denied when they try to reset the password, and the checkbox to force the password to expire at next login is also greyed out.

Yes, Full Control over the OU for User Objects as a test.
0
 
PberSolutions ArchitectCommented:
Are you sure there are no deny permissions in there?  You can see better from the Advanced security dialog.
0
 
rosederekjAuthor Commented:
I'm at a loss here.  I went and re-created the permissions again this morning.  Attached is the attributes I set.

the other permissions are default - Administrators, Authenticated Users, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Everyone, Pre-Windows 2000 and SYSTEM.  The only groups that the users would be in are Authenticated Users and Everyone.  Authenticated has a few read, Everyone has several deny on deletes but nothing on an attribute I'm trying to set.

0
 
rosederekjAuthor Commented:
Guess my upload didn't work - here is an the image with the attributes.

http://img199.imageshack.us/my.php?image=capture1h.jpg
0
 
rosederekjAuthor Commented:
I actually did notice that individual user objects, that are non admins (didn't check admins), are not inheriting the permissions.  Such as, the group named ADPWReset, doesn't have an attribute on the security tab of the actual user object.

I'll give that a read and report back, thanks.
0
 
PberSolutions ArchitectCommented:
Keep in mind that article discusses features that are by design, so hotfixes aren't really needed.  We had some issues with this when people move in and out of admin roles and certain groups wouldn't inherit properly.   We found that the admincount attribute was still set to 1.
Here are some articles that talk about the admincount attribute.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22775367.html
http://x220.minasi.com/forum/topic.asp?TOPIC_ID=15221
http://forums.techarena.in/active-directory/1133548.htm 
0
 
rosederekjAuthor Commented:
Permissions were not inheriting correctly - once that was resolved, it worked.  Thanks for your repeated patience and follow-up.
0
 
PberSolutions ArchitectCommented:
I'm sorry I didn't key in on that earlier.  From your base question it looked like you did things correctly, turns out you did.  Damn inheritance! (:
Anyhow, glad it's working.
0
All Courses

From novice to tech pro — start learning today.