Administrators no longer able to reset user passwords in ADUC - Access Denied

Graham Wells 1 Reputation point
2022-08-23T08:38:33.77+00:00

Recently we made some structure changes in our AD environment.. we moved a few OU's round within a parent OU (Departments) which all sub OUs inherit their security permissions from.

For some reason, all the Service desk members who were part of Account Operators can no longer Reset user passwords receiving Access Denied. They can create & delete users, enable & disable... only thing broken is password reset

Tried taking them all out of Account Operators and created a unique Security Group and delegated permissions for password reset etc. Same scenario.. can do absolutely anything to a user object EXCEPT reset passwords.

Also created a completely new OU and explicitly setting permissions but yields the same result

Anyone come across this before?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,823 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,916 Reputation points
    2022-08-23T09:07:07.89+00:00

    Hi,

    Thank you for asking this question on the Microsoft Q&A Platform.

    Can you try and test the reset process by using AD Admin Center? If it makes any difference, also can you share what are the permissions assigned on the OU including the security permissions?

    Please check if there are any Deny's assigned to the OU Security permissions wise.
    Check the Domain Controller logs for any events logged when the SD cannot reset the passwords.

    ==

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Gary Reynolds 9,391 Reputation points
    2022-08-23T09:53:32.34+00:00

    Hi

    When you create a new OU the following permissions are assigned by default, these are defined in the defaultSecurityDescriptor attribute of the OU class. The Account Operators get rights to create and delete computer, user, group, and printqueue objects in the OU.

    233980-image.png

    On the default permissions of a user object the Account Operators gets full control to new user objects.

    233878-image.png

    So on a user object the Account Operators get full control over the object.

    234021-image.png

    As these permissions are only set when the objects are created, and have no inheritance defined, when they are removed they will not be reinstated or inherited from the parent OU structure.

    I would check that the OU containing the user object has the correct permissions shown above for the OU and user in the OU has the full control permission.

    Gary.


  3. Limitless Technology 39,341 Reputation points
    2022-08-23T14:44:38.457+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to Admins can not reset password.

    1. Please check if the users are member of any admin group (Like built in administrator, domain admin, enterprise admin, schema admin etc....). If the user are member of any administrative group then their delegation will be decided by "AdminSDHolder" container.
    2. Please check the 2 users attribute editor. And check for "Admin Count" Attribute. If that is 1 then definitely they are member of highly privileged group. Then AdminSDHolder comes into play.

    Reference :
    https://learn.microsoft.com/en-us/answers/questions/610313/permissions-required-to-reset-password-on-adcu.html

    ----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--


  4. edmuro 0 Reputation points
    2024-02-08T16:31:57.0933333+00:00

    Lo resolví, desde las propiedades del usuario, pestaña seguridad, opciones avanzadas y restableciendo los valores en permisión a los valores por defecto. Funciona!! dos

    0 comments No comments