Permissions required to reset password on ADCU

Question

Hi,

I'm trying to grant a service account permissions to reset password for other user accounts but it's not working as expected. I've read many articles regarding this but didn't get the desired outcome. I got to the point where the service account is able to reset password for other users but they need to set a new one when they log on. On the reset password dialog the option "User must change password at next logon" is available and the service account can check/uncheck it but it doesn't count, the user has to set a new password no matter what. Under account options the service account is able to check this option but it can't uncheck it. What am I missing here? How can I accomplish this?

Thanks,
Daniel

Answer 1

Hi @Daniel Blanca

Resetting a user's password and set the requirements for the user to change their password at the next logon are two different operations.

Using the ADUC delegation wizard to assign password reset permissions

to the grp1 group it will assign the following permissions to the select OU:

The first permission provides the ability to reset the user's password, the second permissions provides the ability to force the user to reset their password at the next logon.

You can confirm if the user is required to change their password at next logon by looking at the pwdlastset attribute, if the pwdlastset attribute is set to 0 (zero), the user must change their password at next logon.

You can change the user's password without set the pwdlastset to zero by wirting the new password to the unicodepwd attribute.

Gary.

Answer 2

Hi,

I can see that the service account has these 2 permissions. As a matter of fact I even gave it full control over the users OU but it doesn't work nevertheless.
I tried to give permissions through the Delegate Control wizard, I joined the service account to Account Operators group, I even tried through the security tab of the OU but nothing worked.
I'll be glad to hear more ideas.

Thank you

Answer 3

Are you doing these test using the same TEST user?
Have you test that the user that are you trying to reset the password has inherited the perimissions of your reset-password users? (user properties=>Security=>Advanced=> INCLUDE INHERITABLE PERMISSIONS FROM THIS OBJECT'S PARENT) ?

Answer 4

Hi there,

To grant Microsoft Active Directory password reset permissions to your try the below steps:

Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
Click Delegate Control to open the Delegation of Control Wizard.
Click Next to proceed past the wizard’s welcome page.
Click Add .
Click Next to proceed.
Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
Click Next to proceed.
Review the changes and ensure the changes are correct.
Click Finish to save your changes and close the wizard.

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 5

Hello all,

Thank you for your help, however it's not solved yet.

@Limitless Technology - it was the first thing I've tried, didn't work.

@Marco Schiavon :

1. I'm using 2 test users - test1 & test2. The desired outcome is that test1 can reset password for test2 without forcing test2 to set a new password on the first logon.
2. The inheritance option is checked.

@GaryReynolds-8098 - As I said test1 is able to reset password for test2 but test2 is forced to set a new one. I've tried the delegation wizard, joined test1 to Account Operators group and even gave test1 full permissions over the OU containing test2 but nothing helped.

I was told it might be a GPO issue but I'm not sure what to look for.