Ledhed at 20:46, 23 August 2013

2013-08-23T20:46:05Z

Ledhed: Created page with "I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users. My initial testing seemed to imply that the delegation di..."

2013-08-23T20:45:30Z

Created page with "I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users. My initial testing seemed to imply that the delegation di..."

New page

I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users.
My initial testing seemed to imply that the delegation didn't work. Turns out that I was testing the password reset on a user object that was previously a member of the 'Domain Admins' group.
The reason this is significant is that Microsoft removes permission inheritance on any user object that is a member of the 'Domain Admins' group. This is a feature in that it prevents users with lower permissions from resetting passwords on 'Domain Admin' users.

Here in the interesting part, Microsoft does not reset the user object properties to inherit permissions once the user object is removed from the 'Domain Admins' group.
This means that any former Domain Admin user will not be able to have their password reset by users that have been delegated control.

The solution is go to the the Security Tab of the user object, click Advanced, and click Reset to Defaults button (or check the Inherit check box).
If you can't see the security tab for the user, then on "Active Directory Users and Computers" click the view menu and check "Advanced Features".

[[Category:Windows]]

@@ Line 1: / Line 1: @@
 I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users.
 My initial testing seemed to imply that the delegation didn't work. Turns out that I was testing the password reset on a user object that was previously a member of the 'Domain Admins' group.
-The reason this is significant is that Microsoft removes permission inheritance on any user object that is a member of the 'Domain Admins' group. This is a feature in that it prevents users with lower permissions from resetting passwords on 'Domain Admin' users.
+The reason this is significant is that Microsoft removes permission inheritance on any user object that is a member of the 'Domain Admins' group. This is a great feature in that it prevents users with lower permissions from resetting passwords on 'Domain Admin' users.

Domain Admin User Permission Inheritance - Revision history

Ledhed at 20:46, 23 August 2013

Ledhed: Created page with "I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users. My initial testing seemed to imply that the delegation di..."