• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

My helpdesk lost password reset priviledges

My helpdesk group somehow lost it's ability to reset passwords for users within one OU. supposedly no one has made any changes, but something happened. They can reset passwords for users in other OU's within the same domain. I need to know how to begin troubleshooting the issue. It's a windows 2003 AD in native mode.
0
bernardb
Asked:
bernardb
  • 9
  • 6
1 Solution
 
Radhakrishnan RITCommented:
Have you done any delegation on that group? Make sure the check box "User's able to change password" option enabled?
0
 
JBond2010Commented:
It sounds like the permissions on the OU have changed. What you need to do is go into Active Directory Users and Computers and select view and then tick Advanced View. Right Click on the OU and select properties and then click on the Security Tab and then click on Advanced Tab and highlight the HelpDesk group and click Edit and check to see if they have the reset password permission.
0
 
JBond2010Commented:
I assuming that the OU has "been" Delgated Control of the OU as they were able to reset passwords before. Just check this to make sure.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
bernardbAuthor Commented:
The group has the reset password permission. I haven't used delegation
0
 
JBond2010Commented:
Have you tried removing the help desk group and then going through the Delgation of Control Wizard and re-adding the permissions.
0
 
JBond2010Commented:
You have to use the Delgation of Control Wizard to grant control of the OU to the HelpDesk Group. Then you set the required permission such as reset password permission and then finish on the Wizard. Then checked to see if they can reset passwords.
0
 
bernardbAuthor Commented:
I really thought they were given the permissions by the group being added to the account operators group.....My understanding is that delegation of the OU wasn't given to the group using the wizard. I will do that if needed.

I will also try removing the group and adding it from the advanced security tab
0
 
bernardbAuthor Commented:
Ok, I removed the group and readded it using delegation of control wizard, granting the reset password permission etc. I won't find out if it works until tomorrow morning. I will update the site then.

Thank you
0
 
JBond2010Commented:
You also need to check the inheritable permissions and make sure there is no deny permissions in place.
0
 
bernardbAuthor Commented:
Ok, I'm back at work and it gets worse. In some OU's the Helpdesk has permission to change passwords for some users and other users within the same OU they can't....
0
 
JBond2010Commented:
You need to set the permissions so they propogate to all objects in the required OUs.
0
 
bernardbAuthor Commented:

Can I take the group they're in and add it up higher in the hierarchy of OU's and give that group the permissions needed to change all user passwords?

And if so, which permissions should I grant to this group specifically? And I should be using the delegation wizard correct?
0
 
JBond2010Commented:
Yes you can do this and just grant them only the permissions they need which I assume is reset passwords. It is recommended that you use the Delegation of Control Wizard.
0
 
bernardbAuthor Commented:
Sooo Sorry for the late response...This didn't work for the one specific OU they had the issue with. They still can't change the passwords for users within this OU. Anything else I can try?
0
 
JBond2010Commented:
You need to have a look at ACE - Access Control Entries for this OU. Are they a member of another OU where is perhaps the deny permission set? These are thing you need to look out for.
0
 
JBond2010Commented:
Right Click on the OU in question and select Properties > click on the Security Tab > then click Advanced > and click on > Effective Permissions > and where is says Group or User Name click on Select and type in the name of the Security Group and have a look through the permissions for this Group.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now