none
Deny password reset for helpdesk group

    Question

  • Hi,

    I have a mix of Windows 2008 R2 & Windows 2012 R2 domain controllers in multiple site with 2 Exchange 2010 sites.  For some reason, we don't want to give helpdesk group password reset option.  I denied the option long back and it worked and now i cannot remember on which OU or how I denied.  But now,  for some reason, the group members are able to reset the password.  Moreover, helpdesk users can add  themselves to the Domain Admin users group as well.  How do i troubleshoot what went wrong and restrict helpdesk from resetting the password and restricting helpdesk members from adding themselves to Domain Admin group?

    I am not sure if Domain Admin group Security, inheritance should be enabled or not.  Now it is disabled.

    Kindly request your help to fix the issue.

    Tuesday, April 4, 2017 5:07 AM

Answers


  • Kindly request your help to fix the issue.

    Unfortunately we can not help you to find where you have assigned permissions. But a step by step fix would be to create an isolated OU which has no inherited permissions from the domain, then add the Administrators and Domain Admins permissions as Full Control in that OU and move your sensitive accounts over there. Remove the help-desk users from Domain Admins group and check if there are explicit permissions on Domain Admin group itself. In that case you can lock your help desks down and prevent them from touching your Domain Admin group. Be cautious! we do not want you to lock yourself down.

    Then start by searching ACL of your help desk group. There are variety of tools for that, this one is an example:

    Once you have a list of not needed ACLs, remove them one by one carefully and check what happens after. If everything went smoothly, move for next ACL.

    This will take some time depending on your environment. So grab a pen and paper because you will need to keep your track or you will get lost. :)


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 1:50 PM
    Moderator
  • Inheritance should not be enabled for the Domain Admins group. In fact, this group is a privileged group protected by a process called SDProp, which will disable inheritance within one hour if you enable it.

    The best way to give users permissions to reset passwords is to make them members of the Account Operators group. If you no longer want help desk personnel to reset passwords, then you need to remove them from this group. But then they won't be able to enable/disable users.

    If you only gave permission to reset passwords for users in an OU, then you used delegation of administration. This is described in this article:

    http://techgenix.com/Implementing-Active-Directory-Delegation-Administration/

    Steps to check if a user or group has reset password permissions in an OU would be:

    1. Start ADUC.

    2. Right-click the OU you want to check.

    3. Click the Security tab.

    4. Click Advanced .

    5. Click Effective Permissions, and then specify the user or group whose permissions you want to check.

    6. Check the following Effective permission list to see if they have "Reset Password" permission on this object.

    You need to check all OUs. These Wiki's have screen shots of the process:

    https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

    https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, April 4, 2017 2:46 PM
  • Hi,

    I may have figured out the issue though with slight restrictions.  The helpdesk group members are not Domain Admin.  But they were member of DC Builtin\Administrator group.  I believe this was probably creating the issue.  I removed the group from the Builtin\Administrator group and removed all the delegations from the root and reconfigured the delegation with allow as in the attachment and again delegated password reset with deny.

    Now, helpdesk group doesn't seems to have password reset permission.  However, the helpdesk group is not able to create any distribution groups.  For this I went Exchange RBAC and added the group to Distribution Role and it seems to be fine.

    My existing issue is, when user logs into the DC and opens ADUC, they are prompted for credentials and it seems like UAC issue.  The helpdesk group members are unable to move the users, computers or group to other OU.  How can I configure the slide bar to never notify for the group for UAC and enable moving the objects to different OU's?

    

    Thanks a lot 

    Thursday, April 13, 2017 5:22 AM

All replies

  • HI,

    Visit below URL,It have multiple option to find permission.

    https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

    Tuesday, April 4, 2017 6:40 AM
  • Hi

    i cannot remember on which OU or how I denied >>> You can check this from OU's security tab,then remove the permission for "help desk group"..

    Moreover, helpdesk users can add  themselves to the Domain Admin users group as well. >>> Only administrative accounts do that.(domain admin&enterprise,etc.),just remove them from domain admins group.And also check these group "delegate permissions" forauthorities....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, April 4, 2017 6:47 AM

  • Kindly request your help to fix the issue.

    Unfortunately we can not help you to find where you have assigned permissions. But a step by step fix would be to create an isolated OU which has no inherited permissions from the domain, then add the Administrators and Domain Admins permissions as Full Control in that OU and move your sensitive accounts over there. Remove the help-desk users from Domain Admins group and check if there are explicit permissions on Domain Admin group itself. In that case you can lock your help desks down and prevent them from touching your Domain Admin group. Be cautious! we do not want you to lock yourself down.

    Then start by searching ACL of your help desk group. There are variety of tools for that, this one is an example:

    Once you have a list of not needed ACLs, remove them one by one carefully and check what happens after. If everything went smoothly, move for next ACL.

    This will take some time depending on your environment. So grab a pen and paper because you will need to keep your track or you will get lost. :)


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Tuesday, April 4, 2017 1:50 PM
    Moderator
  • Inheritance should not be enabled for the Domain Admins group. In fact, this group is a privileged group protected by a process called SDProp, which will disable inheritance within one hour if you enable it.

    The best way to give users permissions to reset passwords is to make them members of the Account Operators group. If you no longer want help desk personnel to reset passwords, then you need to remove them from this group. But then they won't be able to enable/disable users.

    If you only gave permission to reset passwords for users in an OU, then you used delegation of administration. This is described in this article:

    http://techgenix.com/Implementing-Active-Directory-Delegation-Administration/

    Steps to check if a user or group has reset password permissions in an OU would be:

    1. Start ADUC.

    2. Right-click the OU you want to check.

    3. Click the Security tab.

    4. Click Advanced .

    5. Click Effective Permissions, and then specify the user or group whose permissions you want to check.

    6. Check the following Effective permission list to see if they have "Reset Password" permission on this object.

    You need to check all OUs. These Wiki's have screen shots of the process:

    https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx

    https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, April 4, 2017 2:46 PM
  • Thank you all for the suggestions and link. I will check the suggestion shortly.

    Thank you.

    Thursday, April 6, 2017 4:32 AM
  • Hi

    i cannot remember on which OU or how I denied >>> You can check this from OU's security tab,then remove the permission for "help desk group"..

    Moreover, helpdesk users can add  themselves to the Domain Admin users group as well. >>> Only administrative accounts do that.(domain admin&enterprise,etc.),just remove them from domain admins group.And also check these group "delegate permissions" forauthorities....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Hi Burak,

    I believe the below is a typo and it should be cannot instead of can

    Moreover, helpdesk users can add  themselves to the Domain Admin users group as well

    Thursday, April 6, 2017 4:35 AM
  • Hi

     As already said,you should check members of domain admins,enterprise admins,etc(administrative grooups).. groups for this "helpdesk users" then if you find just remove them.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 6, 2017 10:10 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 2:10 PM
    Moderator
  • Hi Wendy,

    Thanks for the follow up.

    Unfortunately I still cannot figure out the issue with all the above suggestions.  Moreover I am bit scared to mess up the whole setup by committing some errors without knowing what I am doing.  I am still trying to figure out the issues and would love to fix the issue once and for all.

    It may take some time.  But, I will try and try and update.

    What if  I delegate the password reset option to the helpdesk at the root of the domain and then change allow to deny as deny take precedence over allow?  Will that work as a workaround until I figure out the actual issue?

    Tuesday, April 11, 2017 6:19 AM
  • Hi,

    I may have figured out the issue though with slight restrictions.  The helpdesk group members are not Domain Admin.  But they were member of DC Builtin\Administrator group.  I believe this was probably creating the issue.  I removed the group from the Builtin\Administrator group and removed all the delegations from the root and reconfigured the delegation with allow as in the attachment and again delegated password reset with deny.

    Now, helpdesk group doesn't seems to have password reset permission.  However, the helpdesk group is not able to create any distribution groups.  For this I went Exchange RBAC and added the group to Distribution Role and it seems to be fine.

    My existing issue is, when user logs into the DC and opens ADUC, they are prompted for credentials and it seems like UAC issue.  The helpdesk group members are unable to move the users, computers or group to other OU.  How can I configure the slide bar to never notify for the group for UAC and enable moving the objects to different OU's?

    

    Thanks a lot 

    Thursday, April 13, 2017 5:22 AM
  • Hi,
    First of all, appreciate you for the update and share, it will be greatly helpful to others who have the same question.
    You could change the behavior of UAC , please see details from: https://technet.microsoft.com/en-us/library/dd835561(v=ws.10).aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 19, 2017 1:56 AM
    Moderator