none
User Delegation Not working RRS feed

  • Question

  • Hello All,

    We have service account for which we have provided a delegated rights on Users OU. The delegted rights are Enable, Disable, Password reset, Create and delete.

    During testing with help of service account we are able to enable, disable, create, delete even we are able to reset the password, But after the reset when we try to remove the check for "User Must change password at next logon" we get the attached error.


    Thanks HA

    Thursday, July 11, 2019 2:17 PM

All replies

  • Hi Anup,

    When you use the Delegation of Control Wizard to delegate the ability to reset passwords, the delegated user or group does NOT have permission to force a user to change their password at next logon.

    To allow a user or group to set User must change password at next logon:

    01. Open Active Directory Users and Computers.

    02. Use the View menu to check Advanced Features.

    03. Right-click the container that you have delegated control over and press Properties.

    04. Select the Security tab.

    05. Press the Advanced button.

    06. Select the Permissions tab.

    07. Press the Add button.

    08. Select the user or group that has the password reset permission and press OK.

    09. On the Permission Entry for Users dialog, Select the Properties tab.

    10. select User objects in the Apply onto drop-down list.

    11. Check the Allow column box for Write Account Restrictions.

    12. Press OK, Apply, OK, and OK.

    Regards,

    SAAD Youssef

    _______

    Please remember to mark the replies as answer if they help, thank you!

    • Proposed as answer by SAAD Youssef Thursday, July 11, 2019 2:57 PM
    Thursday, July 11, 2019 2:56 PM
  • Hi,

    I tried to do a test as you.

    And i could do remove the check for "Users Must change password at next logon' 

    Please check the detail about the permission as following:

    

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 12, 2019 6:45 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan

     


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 16, 2019 9:21 AM
  • Sorry for the late response, But the situation is same for new and existing account. I can see Write account restriction check marked  on individual user objects. But still get the same error


    Thanks HA



    • Edited by Anup Ghonge Tuesday, July 16, 2019 2:55 PM screen shot added
    Tuesday, July 16, 2019 2:49 PM
  • Did you have tested my suggestion above?
    Tuesday, July 16, 2019 3:35 PM
  • Yes, I have followed the same steps, but still the error.

    Thanks HA

    Tuesday, July 16, 2019 3:41 PM
  • Yes, I have followed the same steps, but still the error.

    Thanks HA

    Can you try with this:

    Minimum permissions are needed for a delegated administrator to force password change at next logon procedure

    Tuesday, July 16, 2019 3:45 PM
  • Hello Saad, 

    Today we have notice our Helpdesk team are also not able to perform these changes. They have these permissions since many years. With new Service id also have the same error. I think the permisisons are not getting inherited. 

    The Helpdesk team are able to perform the changes on other domain. 


    Thanks HA

    Wednesday, July 17, 2019 4:22 PM
  • Hi,

    Would you please tell me which way do you used to delegate the rights?

    Or

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 19, 2019 8:52 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 23, 2019 7:35 AM
  • Thank you for your help

    Due to human error, the Authentictaed USers permission was tampered. After fixing those the delegation work normal.

    Thanks'


    Thanks HA

    Wednesday, July 24, 2019 7:52 AM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 25, 2019 7:20 AM