Solved

Delegate Control for Password Resets

Posted on 2009-05-19
23
1,856 Views
Last Modified: 2012-05-07
I'm trying to delegate control to a specific AD Security Group so they can reset passwords for users within a specific OU.  I ran the Delegation of control wizard, added the group, did everything custom and followed the directions perfectly as described here:

http://support.microsoft.com/kb/296999

Problem is, the users in that group can't actually do it.  The box is disabled for forcing the password to expire, and trying to reset the password produces access denied.

I'm doing the change from a Vista machine with the RSAT tools.  I have verified the permissions on the Security tab on the OU after making the change.  I ran a gpresult from the machine, and it is properly seeing the user in the necessary group.

I notice on Windows Server 2003, I can't see the security tab on an OU.  I tried removing the rights from the Vista RSAT, then adding on the Server 2003.  When that occurs, I can see the permissions from my Vista machine so I know they are propogating properly.

Any ideas how I can debug where the problem lies?
0
Comment
Question by:rosederekj
  • 11
  • 9
  • 3
23 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 24422376
0
 
LVL 26

Expert Comment

by:Pber
ID: 24422626
If the group is new, you may want to try and logoff and logon again for that user.  I know you mentioned gpresult indicated the group membership, you may still want to try that.
Also depending on your AD architecture, you may need to wait for replication for the group membership and permissioning to fully replicate.
Other than that, as long as they have been delegated the "Reset Password" right on User Objects, that option should no longer be grayed out.
 
To see the security TAB, make sure you select View, Advanced Features in the ADUC MMC.
0
 

Author Comment

by:rosederekj
ID: 24422797
Thanks for the links above - I did double-check and made sure I did things correctly.  I also found when reading about the Advanced, so can now see the Security tab on my 03 boxes.

My replication happens hourly, but after making my changes I forced replication to make my changes go across the DC's.  

The group has existed for almost a month.  I could have sworn when I first created this, I tested it with a member of the group and it worked.  Now, for whatever reason, it doesn't.  i thought it was tied to UAC somehow since that was recently enabled, but I get the same problem regardless if it is trying to run from XP or Vista.

Even from the machines I'm trying on - I view the security tab on the OU and it is set properly.  Just when I try to do it, no luck.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24422854
See if these steps covers it.
These are the steps that I have tested to allow Admins group to ONLY reset user's password:

1. right click on the OU you want to delgate and select Delgation of Control Wizard
2. Add the Admins group and click next
3. Select the "Create a custom task to delgate" and click next
4. Select the "Only the following objects in the folder
5. Scoll down to the end and check "User objects" and click Next
6. Scoll down and check both "Change Password" and "Reset Password"
7. Click Next and click Finish.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24422928
You can also make sure the permission are correct by clicking the Effective Permissions TAB in the Advanced Security dialog of that OU and confirm that both the group as well as the users that are members of that group have the Reset Password right on User Objects.
0
 

Author Comment

by:rosederekj
ID: 24423105
I tried manually from a granular approach and just doing the steps above (just password reset and change).

Effective Permissions don't show anything checked.  That's a good sign with at least finding out what is wrong.

The permissions are set to inherit from the parent.  I had a thought that these users might be members of another group that is restricted to do that, but I want to be careful with removing permissions from this as it's not easy to rollback.  I was also taking the approach that I'm a domain admin and a domain user/authenticated user/everyone, so I don't think that applies.

The other thought is "apply these permissions to objects and/or containers within this container only" but not sure that would fix it.

So, Effective Permissions are blank for the NT group, but the security tab shows the correct permissions.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24423191
I've look at how my security looks for our helpdesk group that has reset password and pwdLastSet.  
  • The Reset Password right is applied onto User objects at the OU that holds the user objects.
  • The Read/Write pwdLastSet attribute is also applied onto User objects at the OU that holds the user objects (see attached)


pwdLastSet.JPG
0
 

Author Comment

by:rosederekj
ID: 24423281
What do your effective permissions look like for the group you are delegating to?
0
 
LVL 18

Expert Comment

by:Americom
ID: 24423302
If you are not familiar with security permission, using delgation would be a safer way to grant permission. Usually permission can be inherited but delgation will add the permission you want, unless "denied" access is granted. The steps I provided above will give you the proper permissions for the user to reset password of user account in the specific. Pber also shows the permission needed from his screen capture. Just make sure the user objects is selected under Apply to.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24423317
Weird, the group delegation doesn't show the effective permissions, but the members show the correct permissions.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24423508
don't look at effective for comparison, it will be confused. Everyone has different set of effective permission depending what you want the group to do. Every group you grant access to will have it's default set of permission on the OU or AD then plus what other additional rights you granted or delgated.
In your case, you would concentrated on the security group that you want to work on. You can use delgation. Or you can simply right click on the OU and check the needed permissions, again, just make sure what is selected on the Apply to and etc., but usually messier as certain object do not show all the permissions as it usually depending on type type of object you are looking at as well as the type of permissions and where you are trying to apply the permission to....
0
 

Author Comment

by:rosederekj
ID: 24424679
I gave the group Full Control over that OU.  I can do anything else, create, delete, etc - but can't change passwords.  

I'll take a step back and try again tomorrow, has to be something I'm missing.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24424702
Unless there is an explicit deny in there that will override an allow, it should work.
 
So you right click a user and they can't select "Reset Password", or do they get access denied when they try?
0
 
LVL 26

Expert Comment

by:Pber
ID: 24424719
You gave them Full Control over the OU?  Full control to what?  User Objects?
 
0
 

Author Comment

by:rosederekj
ID: 24424808
They get access denied when they try to reset the password, and the checkbox to force the password to expire at next login is also greyed out.

Yes, Full Control over the OU for User Objects as a test.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24424851
Are you sure there are no deny permissions in there?  You can see better from the Advanced security dialog.
0
 

Author Comment

by:rosederekj
ID: 24430785
I'm at a loss here.  I went and re-created the permissions again this morning.  Attached is the attributes I set.

the other permissions are default - Administrators, Authenticated Users, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Everyone, Pre-Windows 2000 and SYSTEM.  The only groups that the users would be in are Authenticated Users and Everyone.  Authenticated has a few read, Everyone has several deny on deletes but nothing on an attribute I'm trying to set.

0
 

Author Comment

by:rosederekj
ID: 24430794
Guess my upload didn't work - here is an the image with the attributes.

http://img199.imageshack.us/my.php?image=capture1h.jpg
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 24430963
What if you look at the permissions of the User objects themselves?  Are they inheriting?  Are they trying to select to change a password of an Admin account?  AD will remove inheritance on certain types of Admin accounts.
 
See this regarding that:
http://support.microsoft.com/kb/817433
 
 
0
 

Author Comment

by:rosederekj
ID: 24431061
I actually did notice that individual user objects, that are non admins (didn't check admins), are not inheriting the permissions.  Such as, the group named ADPWReset, doesn't have an attribute on the security tab of the actual user object.

I'll give that a read and report back, thanks.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24431151
Keep in mind that article discusses features that are by design, so hotfixes aren't really needed.  We had some issues with this when people move in and out of admin roles and certain groups wouldn't inherit properly.   We found that the admincount attribute was still set to 1.
Here are some articles that talk about the admincount attribute.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22775367.html
http://x220.minasi.com/forum/topic.asp?TOPIC_ID=15221
http://forums.techarena.in/active-directory/1133548.htm
0
 

Author Closing Comment

by:rosederekj
ID: 31583020
Permissions were not inheriting correctly - once that was resolved, it worked.  Thanks for your repeated patience and follow-up.
0
 
LVL 26

Expert Comment

by:Pber
ID: 24431942
I'm sorry I didn't key in on that earlier.  From your base question it looked like you did things correctly, turns out you did.  Damn inheritance! (:
Anyhow, glad it's working.
0

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now