locked
Delegate password reset for domain admins RRS feed

  • Question

  • Hi All, 

    I am trying to delegate permissions for an account to reset domain admin passwords.  I have tried unsuccessfully using dsacls "CN=Domain Admins,CN=Users,DC=test,DC=local" /G "test\user\:CA;Reset Password;user" /I:S.  I'm not sure I'm using this right and I'm not even sure that using dsacls is still supported in server 2016. 

    Any insight is appreciated. 

    Thanks, 

    Tuesday, October 1, 2019 7:13 PM

Answers

  • Hi,

    Based on my experience, the reason you can delegate the permission for the domain admins is that the domain admins are the member of the protected group.So we can't delegate the permission through the OU based delegation control.

    Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification.

    For more information , you can refer to the following link:

    https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

    If you want delegate permission for user to change the password of the admins, you can refer to the following links:

    https://support.microsoft.com/en-us/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/appendix-i--creating-management-accounts-for-protected-accounts-and-groups-in-active-directory

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, October 2, 2019 2:31 AM

All replies

  • Hi,

    Based on my experience, the reason you can delegate the permission for the domain admins is that the domain admins are the member of the protected group.So we can't delegate the permission through the OU based delegation control.

    Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification.

    For more information , you can refer to the following link:

    https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

    If you want delegate permission for user to change the password of the admins, you can refer to the following links:

    https://support.microsoft.com/en-us/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/appendix-i--creating-management-accounts-for-protected-accounts-and-groups-in-active-directory

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, October 2, 2019 2:31 AM
  • Great thank you!  How can I use dsacls to remove those permissions as well?
    Wednesday, October 2, 2019 1:14 PM
  • Hi,

    I haven't tried the method, but you can refer to the following link:

    https://docs.centrify.com/Content/Infrastructure/privileged-identity-mgmt/Configuring_delegation_control_for_admin.htm

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, October 3, 2019 1:35 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, October 7, 2019 1:46 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 18, 2019 9:13 AM