question

DanielBlanca-2962 avatar image
0 Votes"
DanielBlanca-2962 asked mschiavon edited

Permissions required to reset password on ADCU

Hi,

I'm trying to grant a service account permissions to reset password for other user accounts but it's not working as expected. I've read many articles regarding this but didn't get the desired outcome. I got to the point where the service account is able to reset password for other users but they need to set a new one when they log on. On the reset password dialog the option "User must change password at next logon" is available and the service account can check/uncheck it but it doesn't count, the user has to set a new password no matter what. Under account options the service account is able to check this option but it can't uncheck it. What am I missing here? How can I accomplish this?


Thanks,
Daniel

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @DanielBlanca-2962

Resetting a user's password and set the requirements for the user to change their password at the next logon are two different operations.

Using the ADUC delegation wizard to assign password reset permissions

145227-delegation.png

to the grp1 group it will assign the following permissions to the select OU:

145196-delegation.png

The first permission provides the ability to reset the user's password, the second permissions provides the ability to force the user to reset their password at the next logon.

You can confirm if the user is required to change their password at next logon by looking at the pwdlastset attribute, if the pwdlastset attribute is set to 0 (zero), the user must change their password at next logon.

You can change the user's password without set the pwdlastset to zero by wirting the new password to the unicodepwd attribute.

Gary.



delegation.png (16.3 KiB)
delegation.png (2.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielBlanca-2962 avatar image
0 Votes"
DanielBlanca-2962 answered GaryReynolds commented

Hi,

I can see that the service account has these 2 permissions. As a matter of fact I even gave it full control over the users OU but it doesn't work nevertheless.
I tried to give permissions through the Delegate Control wizard, I joined the service account to Account Operators group, I even tried through the security tab of the OU but nothing worked.
I'll be glad to hear more ideas.

Thank you

145165-image.png


145166-image.png



image.png (41.4 KiB)
image.png (32.0 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Normally resetting the password doesn't set the pwdlastset unless selected, can you provide a screenshot the dialog that has the dialog with the option set.

Gary.

0 Votes 0 ·

Hi

Are you able to share more information on the issue, and the steps you are following to reset the user's passwords using the service account?

Gary.

0 Votes 0 ·

Hi,

Just checking if there is any update on this one?

Gary.

0 Votes 0 ·
mschiavon avatar image
0 Votes"
mschiavon answered

Are you doing these test using the same TEST user?
Have you test that the user that are you trying to reset the password has inherited the perimissions of your reset-password users? (user properties=>Security=>Advanced=> INCLUDE INHERITABLE PERMISSIONS FROM THIS OBJECT'S PARENT) ?145273-screenshot-2021-10-31-at-18-16-58.jpg



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

To grant Microsoft Active Directory password reset permissions to your try the below steps:

Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
Click Delegate Control to open the Delegation of Control Wizard.
Click Next to proceed past the wizard’s welcome page.
Click Add .
Click Next to proceed.
Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
Click Next to proceed.
Review the changes and ensure the changes are correct.
Click Finish to save your changes and close the wizard.

--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielBlanca-2962 avatar image
0 Votes"
DanielBlanca-2962 answered GaryReynolds commented

Hello all,

Thank you for your help, however it's not solved yet.

@LimitlessTechnology-2700 - it was the first thing I've tried, didn't work.

@mschiavon:
1. I'm using 2 test users - test1 & test2. The desired outcome is that test1 can reset password for test2 without forcing test2 to set a new password on the first logon.
2. The inheritance option is checked.

@GaryReynolds-8098 - As I said test1 is able to reset password for test2 but test2 is forced to set a new one. I've tried the delegation wizard, joined test1 to Account Operators group and even gave test1 full permissions over the OU containing test2 but nothing helped.

I was told it might be a GPO issue but I'm not sure what to look for.


146477-1.png

146467-2.png

146448-3.png



1.png (7.1 KiB)
2.png (3.9 KiB)
3.png (21.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @DanielBlanca-2962

Interesting, I can't think of any policy that would force the pwdlastset to be zeroed when the password is changed.

The next step I would try to figure out what is causing this behaviour:

  1. Clear the User must change the password at logon check box

  2. Confirm the change has been saved by reopening the properties dialog.

  3. Confirm the value in the msDS-UserPasswordExpiryTimeComputed and if it's in the past

  4. Logon with the account to confirm that the current password is set

  5. Confirm the meta data of the user object and details of when and on which server the password was changed, you can use this page as a reference on how to get this information

  6. Use this page to get a before snapshot of the user object, enter the DN for the user for both left and right object and click compare

  7. Use ADUC to change the password

  8. In NetTools click on the compare again, to see what attributes have been changed

  9. Open the meta data dialog again and confirm, when and which server changed the value of the pwdlastset attribute, and is it different from the one that change the unicodepwd attribute

Let us know how you go.

Gary.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielBlanca-2962 avatar image
0 Votes"
DanielBlanca-2962 answered mschiavon edited

Got it solved.
I ran the Delegate control wizard on the root directory tree and I found some options there that you can't see when running this wizard on a specific OU.


146583-image.png

146509-image.png



I checked these two and it did the trick, now I'm able to check and uncheck the "User must change password at next login" option under account options. And, of course, I can reset password without forcing the user to set a new one.
Can't say for sure but I think it's the "Unexpire password" option which was needed, the other one can be skipped.

Thanks for your help.


image.png (20.9 KiB)
image.png (21.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DanielBlanca-2962

Its probably worth doing some additional checking of the permissions that are assigned to the root and OU structure in your AD, as the Unexpire Password extended right is not specifically required to allow a user to change the pwdlastset attribute, especially as you granted the user account operators and full control rights of the user objects, you might have something else that is blocking these assigned permissions in the OU structure.

This post might help with find out what are the effective permissions for the user https://nettools.net/how-to-find-active-directory-effective-rights/

Gary.

0 Votes 0 ·

So basically you didn't apply the permission from the root level and the AD does not allow TEST 1 to reset PWs.

0 Votes 0 ·