Help desk group Can not reset Passwords for their accounts in ADUAC

Rawan Nasser 0 Reputation points
2024-06-24T05:58:50.61+00:00

Dear All,,

Recentlly we face an issue with Help desk group , since they couldnt reset Password for their accounts , although they can before ,

right now , they can reset the passwords for normal accounts only .

also, note that group are member of protected user group.

kindly help me find the issue and solve it .

thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,255 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,660 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 12,430 Reputation points Microsoft Vendor
    2024-06-25T07:42:40.1366667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Hello, based on your description, it seems like the Help Desk group has lost the ability to reset passwords for their own accounts but can still reset passwords for normal accounts.

    This could be due to a change in permissions or group policies. Here are a few suggestions to troubleshoot the issue:

    1. Check Group Policies: Ensure that the group policy settings have not been changed recently. If there have been changes, it's possible that the Help Desk group's permissions were inadvertently modified.
    2. Review User Rights Assignment: In the Local Security Policy, under User Rights Assignment, ensure that the Help Desk group has the 'Allow log on locally' and 'Reset password' permissions.
    3. Check Protected Users Group Membership: If the Help Desk group is a member of the Protected Users group, they will have more restrictions. Members of the Protected Users group cannot authenticate by using NTLM, digest authentication, or CredSSP. If a member of the Protected Users group tries to authenticate to a domain by using an unsupported method, that member's authentication attempt will fail. You might need to remove the Help Desk group from the Protected Users group if they need to reset their passwords frequently.
    4. Check Delegation of Control: Ensure that the Help Desk group has been delegated the correct permissions in Active Directory to reset passwords.
    5. Audit Logs: Check the security logs on your domain controller to see if there are any clues as to why the password reset is failing.

    The contents of this Microsoft official document may help you:

    Troubleshoot self-service password reset - Microsoft Entra ID | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.