Hello,
Thank you for posting in Q&A forum.
Hello, based on your description, it seems like the Help Desk group has lost the ability to reset passwords for their own accounts but can still reset passwords for normal accounts.
This could be due to a change in permissions or group policies. Here are a few suggestions to troubleshoot the issue:
- Check Group Policies: Ensure that the group policy settings have not been changed recently. If there have been changes, it's possible that the Help Desk group's permissions were inadvertently modified.
- Review User Rights Assignment: In the Local Security Policy, under User Rights Assignment, ensure that the Help Desk group has the 'Allow log on locally' and 'Reset password' permissions.
- Check Protected Users Group Membership: If the Help Desk group is a member of the Protected Users group, they will have more restrictions. Members of the Protected Users group cannot authenticate by using NTLM, digest authentication, or CredSSP. If a member of the Protected Users group tries to authenticate to a domain by using an unsupported method, that member's authentication attempt will fail. You might need to remove the Help Desk group from the Protected Users group if they need to reset their passwords frequently.
- Check Delegation of Control: Ensure that the Help Desk group has been delegated the correct permissions in Active Directory to reset passwords.
- Audit Logs: Check the security logs on your domain controller to see if there are any clues as to why the password reset is failing.
The contents of this Microsoft official document may help you:
Troubleshoot self-service password reset - Microsoft Entra ID | Microsoft Learn
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.