How do we reset the password of a domain admin account with a non-domain admin account?

Question

Hello,

As you know, normal users cannot reset the passwords of users in groups called "protected users". (For example: Domain Admins, Account Operators)

I followed the steps below to solve this, but it did not work. Is there a different method or solution?

I gave the test user "Reset Password", "Change Password", "Read Property, LockoutTime", "Write Property, LockoutTime" privileges in the entire domain . Additionally, I ran the following 3 commands by logging into the Domain Controller server with the domain admin user.

dsacls.exe CN=AdminSDHolder,CN=System,DC=test,DC=cdomain /G test.domain\test.user:CA;"Reset Password"

dsacls.exe CN=AdminSDHolder,CN=System,DC=test,DC=domain/G test.domain\test.user:RP;"LockoutTime" test.domain\test.user:WP;"LockoutTime"

dsacls.exe CN=AdminSDHolder,CN=System,DC=test,DC=domain /G test.domain\test.user:WD test.domain\test.user:RP;"account restrictions" test.domain\test.user :WP;"account restrictions"

These commands ran without error and at the end the command successfully message appeared.

Regards

Answer 1

Hi Atakan Coşguner,

Thank you for posting in the Microsoft Community Forum.

You can try using a recovery account:

Windows Server domain controllers typically have a recovery account setting, which can be used to reset the domain administrator password.

Log in to the domain controller and navigate to Active Directory Users and Computers (ADUC).

Locate the domain administrator account, right-click, and select "Properties."

Switch to the "Account" tab and find the "Recovery" account option.

Enter the credentials for the recovery account, then use it to log in and reset the domain administrator password.

Best regards

Neuvi Jiang