From LedHed's Wiki
Jump to: navigation, search

I came across a strange behavior the other day. I delegated control of "Reset Password" to a group of helpdesk users. My initial testing seemed to imply that the delegation didn't work. Turns out that I was testing the password reset on a user object that was previously a member of the 'Domain Admins' group. The reason this is significant is that Microsoft removes permission inheritance on any user object that is a member of the 'Domain Admins' group. This is a great feature in that it prevents users with lower permissions from resetting passwords on 'Domain Admin' users.


Here in the interesting part, Microsoft does not reset the user object properties to inherit permissions once the user object is removed from the 'Domain Admins' group. This means that any former Domain Admin user will not be able to have their password reset by users that have been delegated control.


The solution is go to the the Security Tab of the user object, click Advanced, and click Reset to Defaults button (or check the Inherit check box). If you can't see the security tab for the user, then on "Active Directory Users and Computers" click the view menu and check "Advanced Features".