Permissions required to reset password on ADCU

Daniel Blanca 1

Hi,

I'm trying to grant a service account permissions to reset password for other user accounts but it's not working as expected. I've read many articles regarding this but didn't get the desired outcome. I got to the point where the service account is able to reset password for other users but they need to set a new one when they log on. On the reset password dialog the option "User must change password at next logon" is available and the service account can check/uncheck it but it doesn't count, the user has to set a new password no matter what. Under account options the service account is able to check this option but it can't uncheck it. What am I missing here? How can I accomplish this?

Thanks,
Daniel

7 answers

Gary Reynolds 9,406 Reputation points

2021-11-04T09:50:54.673+00:00
Hi @Daniel Blanca

Interesting, I can't think of any policy that would force the pwdlastset to be zeroed when the password is changed.

The next step I would try to figure out what is causing this behaviour:

Clear the User must change the password at logon check box

Confirm the change has been saved by reopening the properties dialog.

Confirm the value in the msDS-UserPasswordExpiryTimeComputed and if it's in the past

Logon with the account to confirm that the current password is set

Confirm the meta data of the user object and details of when and on which server the password was changed, you can use this page as a reference on how to get this information

Use this page to get a before snapshot of the user object, enter the DN for the user for both left and right object and click compare

Use ADUC to change the password

In NetTools click on the compare again, to see what attributes have been changed

Open the meta data dialog again and confirm, when and which server changed the value of the pwdlastset attribute, and is it different from the one that change the unicodepwd attribute

Let us know how you go.

Gary.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Daniel Blanca 1 Reputation point

2021-11-04T14:45:19.96+00:00

Got it solved.
I ran the Delegate control wizard on the root directory tree and I found some options there that you can't see when running this wizard on a specific OU.

I checked these two and it did the trick, now I'm able to check and uncheck the "User must change password at next login" option under account options. And, of course, I can reset password without forcing the user to set a new one.
Can't say for sure but I think it's the "Unexpire password" option which was needed, the other one can be skipped.

Thanks for your help.
Please sign in to rate this answer.
Gary Reynolds 9,406 Reputation points

2021-11-04T20:47:09.35+00:00

Hi @Daniel Blanca

Its probably worth doing some additional checking of the permissions that are assigned to the root and OU structure in your AD, as the Unexpire Password extended right is not specifically required to allow a user to change the pwdlastset attribute, especially as you granted the user account operators and full control rights of the user objects, you might have something else that is blocking these assigned permissions in the OU structure.

This post might help with find out what are the effective permissions for the user https://nettools.net/how-to-find-active-directory-effective-rights/

Gary.

Marco Schiavon 711 Reputation points

2021-11-05T09:30:09.763+00:00

So basically you didn't apply the permission from the root level and the AD does not allow TEST 1 to reset PWs.
Sign in to comment

Share via

Permissions required to reset password on ADCU

7 answers