none
Active Directory Delegation Password issue RRS feed

  • Question

  • Hello,

    I have a problem with the Active Directory delegation, more specifically with set and reset user account passwords.

    I have 2 different forests (let's call them domain 1 and domain 2), I created an external trust, 1 way with SID filter is enable and domain-wide authentication and it works fine as expected.

    I have few users in domain 1 that I want to be able to have full control in active directory for the other domain 2, so I created a local sec group in domain 2 and add the users in there.

    I run the delegation of control wizard and assign full permission to the local group. I can create and manage almost everything but not password. When I create a new user I have a warning "the password for user1 cannot be set due to insufficient privileges. Windows will attempt to disable this account..." and the account get disabled. 

    If I try to reset the password for the same user I got "windows cannot complete the password change for user1 because: Access is denied".

    Now, it is from few days that I am trying to troubleshoot that, this is what I tried:

    - I tryied to give permission directley to the user in the other forest/domain, full control or just manage users and password, same result

    - Event viewer do not show any errors, I was looking for event id 4724 and 4725 but nothing went logged here for the user in the other domain

    - I make sure the permissions get applyed correctley: I check the ADUC, under properties, security and advance and make sure it is all selected, I checked the permissions with powershell dsacls and with LDP.exe; in any case the permissions are fine, set to full control and exactley the same as domain admins.

    I suspect that there could be something that do not work to delegate users from different forests and I really get confued..

    I hope that someone of you can help me on this

    Wednesday, July 8, 2020 1:11 PM

Answers

  • I found the setting.

    Under the Local Policies - Security Options

    Network access: Restric clients allowed to make remote calls to Sam

    The permission set on this policy could be wrong, but just set it to not defined and remove the corresponding registry key will fix the issue

    • Marked as answer by AndreTechno Thursday, July 16, 2020 1:07 PM
    Wednesday, July 15, 2020 6:00 PM

All replies

  • Hi,

    I did a test in my lab:

    test user 1 from domain 1, domain 1 and 2 have a 2 way trust.I add user 1 to domain local group in domain 2.

    Give the group full control through delegation control.

    Then user 1 log into domain 2, and change the password, it worked successfully.

    Best Regards,
    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 9, 2020 1:16 AM
  • Hi Fan,

    thanks for checking this.

    I recreate my environment in a test lab and you are right, the delegation works as expected.

    I notice that there is a group policy that block the set/reset password, probably in the security settings, any idea of which setting can do this?

    I will do ahead and test them 1 by 1, but it will take me long time, as I have a lot of settings 

    Thursday, July 9, 2020 2:18 PM
  • Hi,

    From my side i would check the following settings:


    Then if the user are belong to any Protected Groups.

    Fan



    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 10, 2020 7:53 AM
  • Hi,

    Welcome to share your current situation.

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 13, 2020 6:40 AM
  • Hi Fan,

    I am still working on it. As soon as I find the setting I will post here

    Tuesday, July 14, 2020 2:21 PM
  • I found the setting.

    Under the Local Policies - Security Options

    Network access: Restric clients allowed to make remote calls to Sam

    The permission set on this policy could be wrong, but just set it to not defined and remove the corresponding registry key will fix the issue

    • Marked as answer by AndreTechno Thursday, July 16, 2020 1:07 PM
    Wednesday, July 15, 2020 6:00 PM
  • Hi,

    Thanks for your posting here and sharing the resolution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 16, 2020 2:21 AM