Click here to get back home

Reset Passwords, Account operators, Delegation - access denied
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Reset Passwords, Account operators, Delegation - access denied Tlan 08-08-2006
Posted by Tlan on August 8, 2006, 8:37 pm
Please log in for more thread options
 hopefully someone has some input on this,
Helpdesk group cannot reset passwords: The error received is

Windows cannot complete the password change for %%users%% because:
Access is Denied

I have a helpdesk group who is in the account operators, Server
operators groups.

I have delegated password reset permissions at the domain level.

They are unable to reset any passwords in the domain at this time

I have moved them to new groups gave thise groups delegated
permissions and new OU's and I just cannot get this to work.

anyone have any ideas as to why this is happening. Am I missing
something here. Is there a policy that I am not finding.

Any help TIA


Posted by Joe Richards [MVP] on August 8, 2006, 9:48 pm
Please log in for more thread options
 Remove everyone from the server operators and account operators groups.
It is stupid to use them because both groups can usually just escalate
themselves to domain admin level anyway if they know what they are doing.

Acc ops just gives rights that should be delegated in AD anyway and Serv
Ops gives powers over DCs that no one except DAs should have. If you
allow someone to monkey with the scheduler or services or system
binaries they can do anything they want to the machine.

So once you have removed them from those groups, make sure that
admincount is set to zero on all of them and then go into the ACLs and
reapply inheritance.

BTW, this is all expected. It is called the AdminSDHolder functionality.
It is designed to protect you. But again, the best protection is not to
use those groups in the first place.

joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Tlan wrote:
> hopefully someone has some input on this,
> Helpdesk group cannot reset passwords: The error received is
>
> Windows cannot complete the password change for %%users%% because:
> Access is Denied
>
> I have a helpdesk group who is in the account operators, Server
> operators groups.
>
> I have delegated password reset permissions at the domain level.
>
> They are unable to reset any passwords in the domain at this time
>
> I have moved them to new groups gave thise groups delegated
> permissions and new OU's and I just cannot get this to work.
>
> anyone have any ideas as to why this is happening. Am I missing
> something here. Is there a policy that I am not finding.
>
> Any help TIA
>

Posted by Tlan on August 9, 2006, 12:53 am
Please log in for more thread options
Yeah I see the AdminSDhelper is the problem.

Ok delegation is the solution I will test that to see if it gives me
the results I want,

Thanks




On Tue, 08 Aug 2006 21:48:20 -0400, "Joe Richards [MVP]"

>Remove everyone from the server operators and account operators groups.
>It is stupid to use them because both groups can usually just escalate
>themselves to domain admin level anyway if they know what they are doing.
>
>Acc ops just gives rights that should be delegated in AD anyway and Serv
>Ops gives powers over DCs that no one except DAs should have. If you
>allow someone to monkey with the scheduler or services or system
>binaries they can do anything they want to the machine.
>
>So once you have removed them from those groups, make sure that
>admincount is set to zero on all of them and then go into the ACLs and
>reapply inheritance.
>
>BTW, this is all expected. It is called the AdminSDHolder functionality.
>It is designed to protect you. But again, the best protection is not to
>use those groups in the first place.
>
> joe


Posted by Tlan on August 9, 2006, 12:56 am
Please log in for more thread options

AND i just bought your book


On Tue, 08 Aug 2006 21:48:20 -0400, "Joe Richards [MVP]"

>Remove everyone from the server operators and account operators groups.
>It is stupid to use them because both groups can usually just escalate
>themselves to domain admin level anyway if they know what they are doing.
>
>Acc ops just gives rights that should be delegated in AD anyway and Serv
>Ops gives powers over DCs that no one except DAs should have. If you
>allow someone to monkey with the scheduler or services or system
>binaries they can do anything they want to the machine.
>
>So once you have removed them from those groups, make sure that
>admincount is set to zero on all of them and then go into the ACLs and
>reapply inheritance.
>
>BTW, this is all expected. It is called the AdminSDHolder functionality.
>It is designed to protect you. But again, the best protection is not to
>use those groups in the first place.
>
> joe


Posted by Joe Richards [MVP] on August 9, 2006, 10:53 pm
Please log in for more thread options
Enjoy it. :)

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Tlan wrote:
> AND i just bought your book
>
>
> On Tue, 08 Aug 2006 21:48:20 -0400, "Joe Richards [MVP]"
>
>> Remove everyone from the server operators and account operators groups.
>> It is stupid to use them because both groups can usually just escalate
>> themselves to domain admin level anyway if they know what they are doing.
>>
>> Acc ops just gives rights that should be delegated in AD anyway and Serv
>> Ops gives powers over DCs that no one except DAs should have. If you
>> allow someone to monkey with the scheduler or services or system
>> binaries they can do anything they want to the machine.
>>
>> So once you have removed them from those groups, make sure that
>> admincount is set to zero on all of them and then go into the ACLs and
>> reapply inheritance.
>>
>> BTW, this is all expected. It is called the AdminSDHolder functionality.
>> It is designed to protect you. But again, the best protection is not to
>> use those groups in the first place.
>>
>> joe
>

Similar ThreadsPosted
RODC 2008 account and delegation April 17, 2008, 3:50 am
Service Account Passwords November 29, 2005, 12:32 am
How protect Administrators account and passwords June 7, 2007, 9:31 am
Windows 2003 Sp1 Permission Denied on Account??? Help Please October 3, 2005, 11:25 am
XP 64 OS reset Administrator Password with reset CD? March 28, 2006, 1:10 pm
Getting Access is Denied March 2, 2006, 6:30 pm
DRA and access denied September 28, 2006, 10:13 am
Everybody denied access to a folder June 19, 2006, 4:52 am
Access XP Permission Denied July 12, 2006, 9:52 pm
CDROM Drive access denied October 31, 2005, 10:40 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap