Share via

Active Directory Reset Password Over CMD Permissons

Anonymous
2023-09-11T22:24:00+00:00

So here is my issue. I am running active directory and i need certain end users to be able to reset the password for users in the lets say EXAMPLE OU. So what i did was created a security group and delegated reset password permissions. However when i go to cmd and get users to run "Net user (username) (newpassword) /domain" it returns access denied 5. So i check permissions over and over again but no luck. Its only when i give the security group full permisson to edit properties of users in the OU it actually works. I need to know what permissions exactly will allow me to do this. My users must be able to usee the cmd command for our strange use case. For obvious reasons i dont want to give them that permissions forever.

Windows for business | Windows Server | Directory services | User logon and profiles

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-12T02:05:51+00:00

    Hello Jake Cooper1,

    Thank you for posting in Microsoft Community forum.

    In my test, if I delegate domain user (t2) to change password for other domain users.

    1.I set it through "Delegation of Control Wizard" and check "Reset user passwords and force password change at next logon".

    Image

    2.I cannot check the option "User must change password at next logon" (the option is greyed out) when resetting password for domain users using t2 account.

    Image

    3.However, I can reset the password for domain users in the specific OU successfully using t2 via GUI (not CMD command).

    Image

    4.But when I reset password for domain users in specific OU using t2 via CMD command, it seems I get similar error message as you (below), am I right?

    ![Image](https://filestore.community.support.microsoft.com/api/images/6bac214d-7953-4a7b-afbe-a1c8140ce7d5?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2bfFBh2dqlqMuW7np3F6Utp%2fKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2fU3qhn54Ui9c7IY3%2bVaDGM794ieFEWFOTytTrMKy7m1XQpeIKlfhHZvv6qxFNypZh8EVO%2bjzMgLRnj7SrY%2fjVoV7qs8fDiK994oMxVrhrFAMYDcU%2fzovBLnoL%2b64GlkFU%2bfrdRqUwzve3Xwdwc2WAnCV7XcBCgOYAR1JDOQ%2bKXWy5MpA9q0r3EriVRHsqt2q%2f%2f2k6DIPvsV2fS5IIG%2f3onjFlVXAb2meyriW9WuCwp5xf%2fKK5ONf6l%2fGl29ieJDiLea7AKkfPMg%2fSPh7gxOkRNpZnZ9WvAflZvVD2qL2REAySRNc0X8%3d)Image

    It seems resetting password via CMD needs more permissions, currently, I cannot find what specific permissions for CMD (I have done test more than two hours).

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-09-12T09:17:44+00:00

    What the issue is we dont want the users having AD Users and computers installed so we ideally want to know what the permission is. Is there any set permissions for the net user command that it could happen to fall under?

    0 comments
  3. Anonymous
    2023-09-12T09:22:26+00:00

    I saw this post could this be a fix?

    Hello all,
    I found a solution for this problem.
    The problem was placed directly is the registry of the domain controllers.
    There are 2 ways how you can solve it.

    Solution 1: Create a policy which allows the specify groups or users to make a SAM request and link it to the whole domain OUs on the top level. So that all computers and users of all OUs gets it.

    Here is the instruction for this policy setting:

    Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM".

    Select "Edit Security" to configure the "Security descriptor:".

    Add the wished User or Group in "Group or user names:"

    Select "Allow" for "Remote Access" in "Permissions for "Administrators".

    Click "OK".

    Make CMD: gpupdate /force on all domain computers and restart them.

    Solution 2: Deleting existing policy or local registry settings for SAM request

    1. Find the policy that specifies the SAM request (if already exists) and edit (allow the wished group or user) or delete it completely.
    2. Open regedit.exe on all domain controllers at the same time and delete the registry key:

    Registry Hive: HKEY_LOCAL_MACHINE
    Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\

    Value Name: RestrictRemoteSAM

    Value Type: REG_SZ
    Value: O:BAG:BAD:(A;;RC;;;BA)

    1. Restart one of the domain contorllers and check if the registry key is still there. In general it should be completely removed and doesn't appear after reboot.

    Info: This registry key restricts all normal users making a "net user /domain <username>" request.

    1. Try the "net user /domain <username>" request as normal user (Make "gpupdate /force" and restart the computer running the request if needed)

    BR,
    Yaroslav Kraus

    0 comments
  4. Anonymous
    2023-09-13T01:10:07+00:00

    Hello Jake Cooper1,

    Thank you for your reply and update.

    The result of command "Net user /domain <username>" will show the information about the specific AD user account. Not sure if the two solutions apply to CMD reset password or not.

    However, I think you can test the solutions above in test lab, and after that check the result.

    Thanks for your time.

    Best Regards,
    Daisy Zhou

    0 comments