Solved

Minimum permission to reset passwords

Posted on 2015-02-01
18
199 Views
Last Modified: 2015-02-08
Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to to reset passwords of Active Directory users, All the users are in a OU called staff, I dont want him to reset passwords of users which are in other OU's Example ManagementUsers, ExecutiveUsers, VIPUsers  and no other dangerous access rights.

I use windows 2008 Domain Controller.

This is what I've done so far...
1 - created a user account for the technician.
2 - On the "Staff" OU in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "reset password"
4- finish

I have tested the above configuration and it is not working,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so he can reset passwords only on "Staff" OU and Absolutely no other permissions

Waiting for your support.
Thank you.
0
Comment
Question by:smpvm
  • 7
  • 4
  • 3
  • +4
18 Comments
 
LVL 4

Expert Comment

by:Manoj Bojewar
ID: 40583430
This is enough to reset password for particular OU users. Please give some time to replicate the permission. i would say, now you check and let us know the result.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40583434
Your way is 100% correct and no additional permissions are required to reset user password (usually give plus force change password on next logon). Could you do a RSOP for this delegated user?
0
 

Expert Comment

by:deepak_giri
ID: 40583441
When you checked this login what extra permission do you have.

you just go by back tracking. remove that permissions.

Hope this will solve your problem.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 250 total points
ID: 40583484
It's also worth checking the permissions on the user account you're trying to reset the password on to make sure that it does not have inheritance turned off.

- In Active Directory Users and Computers click on View in the top menu bar the click on Advanced Features
- Now browse to the Staff OU and right click on the problematic user account, then click Properties
- Click on the Security tab
- Click on the Advanced button
- Verify the Include inheritable permissions from this object's parent box is ticked


Few other things to check:
- If you have multiple Domain Controllers in your environment then verify that your changes have replicated. You can force the replication if necessary: https://technet.microsoft.com/en-us/library/cc816926%28v=ws.10%29.aspx
- Verify that the user account you are trying to reset the password for isn't a member of a protected group. Go back into the user account's Properties in ADUC then click on the Attribute Editor tab. Now look at the adminCount attribute and make sure this is set to either 0 or <not set>
- This may seem simple but did you log out of the Technician account then log back in after you delegated the reset password ability?
- Lastly double check that you have granted the correct access in the Delegate Control Wizard:
0
 
LVL 11

Assisted Solution

by:zalazar
zalazar earned 125 total points
ID: 40583804
I actually prefer to set these permissions manually as by using delegation you do not have full control on the assigned permissions. Below please find a procedure which assigns the minimum permissions needed to reset passwords for user accounts in the "Staff" OU.

Start AD Users and Computers
View |Advanced Features
Right click on the "Staff" OU where you want to give the reset password permissions and select Properties
Click the Security tab
Click Advanced, click Add..., type <technician user account>, click Check Names and OK
On the object tab, select Apply to "Descendant User objects"
Allow the following 2 permissions:
Change password  and  Reset password
Click OK, OK, OK
0
 

Author Comment

by:smpvm
ID: 40585687
Thank you all, the permission is set correctly as per your advice.
Now the last part is to provide a solution which will help the "technician" to connect "Active Directory users and computers" console from his windows 7 Desktop, I don't want to give him RDP connection to the Domain Controller because i am afraid he may restart or shutdown the server by mistake.

Regards...
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40585711
Anyone, no matter what permissions, could use RSAT to connect to a DC.
0
 

Author Comment

by:smpvm
ID: 40585713
What is RSAT ?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 40585717
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 250 total points
ID: 40586032
Once you've downloaded and installed RSAT on the technician's Windows 7 machine, you will need to enable the required RSAT modules through Control Panel > Programs and Features > Turn Windows features on or off
Enabling-RSAT-Modules.png
0
 

Author Comment

by:smpvm
ID: 40586068
Dear VBITS,
I successfully installed RSAT using the above link on the "technician" computer but i find a security issue, by mistake i installed the RSAT using another user say "user1"  and i came to understand that from user1 profile i able to view the Active Directory users and computers Hierarchy in Read Only mode, which is a big security issue, Can you please suggest me how can i implement a counter measure from the domain controller so that everyone or authenticated normal users should not have the privilege to view Active Directory users and computers Hierarchy , DNS, DHCP, etc... all AD tools.

Please Help.

Regards....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40586090
By default, with or without RSAT, any user may browse Active Directory. This is NOT a security issue.
0
 

Author Comment

by:smpvm
ID: 40586095
Hello McKnife,

Is it possible to prevent this default behavior ?

Regards
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40586097
Unfortunately there's no easy way to do this, as the read access to AD is by design. It's not exactly a security risk either as other LDAP browsers will be able to retrieve the data in AD with or without RSAT installed.

If you must, you can look at blocking use of all MMCs through Group Policy but again, this won't stop other programs from reading AD data in your organisation.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40586369
Every object in AD has an ACL, every user, computer, GPO,... so yes, we can block read access to those - if you know the consequences, go ahead.
0
 

Author Comment

by:smpvm
ID: 40597741
Thank you this solution is perfect
0
 

Author Comment

by:smpvm
ID: 40597802
I've requested that this question be closed as follows:

Accepted answer: 0 points for smpvm's comment #a40597741
Assisted answer: 125 points for VB ITS's comment #a40583484
Assisted answer: 125 points for zalazar's comment #a40583804
Assisted answer: 125 points for McKnife's comment #a40585717
Assisted answer: 125 points for VB ITS's comment #a40586032

for the following reason:

Good Solution
0
 

Author Closing Comment

by:smpvm
ID: 40597803
Good Solution
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now