Permissions required to reset password on ADCU

Daniel Blanca 1 Reputation point
2021-10-31T07:36:55.217+00:00

Hi,

I'm trying to grant a service account permissions to reset password for other user accounts but it's not working as expected. I've read many articles regarding this but didn't get the desired outcome. I got to the point where the service account is able to reset password for other users but they need to set a new one when they log on. On the reset password dialog the option "User must change password at next logon" is available and the service account can check/uncheck it but it doesn't count, the user has to set a new password no matter what. Under account options the service account is able to check this option but it can't uncheck it. What am I missing here? How can I accomplish this?

Thanks,
Daniel

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments

7 answers

Sort by: Newest
Most helpful Newest Oldest
  1. Daniel Blanca 1 Reputation point
    2021-11-04T14:45:19.96+00:00

    Got it solved.
    I ran the Delegate control wizard on the root directory tree and I found some options there that you can't see when running this wizard on a specific OU.

    146583-image.png

    146509-image.png

    I checked these two and it did the trick, now I'm able to check and uncheck the "User must change password at next login" option under account options. And, of course, I can reset password without forcing the user to set a new one.
    Can't say for sure but I think it's the "Unexpire password" option which was needed, the other one can be skipped.

    Thanks for your help.

  2. Gary Reynolds 9,391 Reputation points
    2021-11-04T09:50:54.673+00:00

    Hi @Daniel Blanca

    Interesting, I can't think of any policy that would force the pwdlastset to be zeroed when the password is changed.

    The next step I would try to figure out what is causing this behaviour:

    1. Clear the User must change the password at logon check box
    2. Confirm the change has been saved by reopening the properties dialog.
    3. Confirm the value in the msDS-UserPasswordExpiryTimeComputed and if it's in the past
    4. Logon with the account to confirm that the current password is set
    5. Confirm the meta data of the user object and details of when and on which server the password was changed, you can use this page as a reference on how to get this information
    6. Use this page to get a before snapshot of the user object, enter the DN for the user for both left and right object and click compare
    7. Use ADUC to change the password
    8. In NetTools click on the compare again, to see what attributes have been changed
    9. Open the meta data dialog again and confirm, when and which server changed the value of the pwdlastset attribute, and is it different from the one that change the unicodepwd attribute

    Let us know how you go.

    Gary.

    0 comments
  3. Daniel Blanca 1 Reputation point
    2021-11-04T09:24:44.447+00:00

    Hello all,

    Thank you for your help, however it's not solved yet.

    @Limitless Technology - it was the first thing I've tried, didn't work.

    @Marco Schiavon :

    1. I'm using 2 test users - test1 & test2. The desired outcome is that test1 can reset password for test2 without forcing test2 to set a new password on the first logon.
    2. The inheritance option is checked.

    @GaryReynolds-8098 - As I said test1 is able to reset password for test2 but test2 is forced to set a new one. I've tried the delegation wizard, joined test1 to Account Operators group and even gave test1 full permissions over the OU containing test2 but nothing helped.

    I was told it might be a GPO issue but I'm not sure what to look for.

    146477-1.png

    146467-2.png

    146448-3.png

    0 comments
  4. Limitless Technology 39,371 Reputation points
    2021-11-03T09:21:58.45+00:00

    Hi there,

    To grant Microsoft Active Directory password reset permissions to your try the below steps:

    Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
    At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
    Click Delegate Control to open the Delegation of Control Wizard.
    Click Next to proceed past the wizard’s welcome page.
    Click Add .
    Click Next to proceed.
    Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
    Click Next to proceed.
    Review the changes and ensure the changes are correct.
    Click Finish to save your changes and close the wizard.

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  5. Marco Schiavon 711 Reputation points
    2021-10-31T17:17:57.113+00:00

    Are you doing these test using the same TEST user?
    Have you test that the user that are you trying to reset the password has inherited the perimissions of your reset-password users? (user properties=>Security=>Advanced=> INCLUDE INHERITABLE PERMISSIONS FROM THIS OBJECT'S PARENT) ?145273-screenshot-2021-10-31-at-18-16-58.jpg

    0 comments