Windows Server 2008 Active Directory - Delegation of Control Wizard


  • I'm running Windows Server 2008 x64 R2 fully updated.  I created a group for Help Desk and added our help desk users to it.  I then ran the wizard to give them control over our standard users to reset their password (i.e. Reset User Passwords and force password change at next logon).  It worked the very first time I tested it, but now all help desk techs that are in this group CANNOT change passwords.  I get the following error:

    Windows cannot complete the password change for %username% because:  Access is Denied


    I've even went into the DACL and restored everything to defaults and retried everything.  I've gone as far as deleting the group and users, restarting the server, and recreating everything with the same result.  What gives?  Am I missing something simple?

    There is always a way...
    Friday, December 16, 2011 9:01 PM


All replies

  • Did you run the wizard on the root of the domain?

    If you look at the users ou security properties, do you see the Help Desk ACL?

    Friday, December 16, 2011 10:08 PM
  • I ran it on the users OU and yes, I see the HD ACL.
    There is always a way...
    Friday, December 16, 2011 10:45 PM
  • 1. Please try to grant the HD read permission users

    2. Are the created users members of Domain Admins group?




    Saturday, December 17, 2011 9:31 AM
  • Hi,

    Do you mean that you delegated the control of the Users container?

    I would like to know that whether the user you want to reset password is in the users container or other OUs.

    In addition, please refer to the below steps to delegate control:

    To Delegate Group to Reset and Change Password:

    1. Right click on the OU and choose Delegate Control.

    2. In the delegation of control wizard, select your OU Admins group (or whatever you are delegating to), then in the next screen select "Create a custom task to delegate".

    3. In the next screen, choose the radio button for "Only the following objects in the folder", the put a check mark next to User objects, then click next.

    4. In the Permissions screen, put checks next to "change password", "reset password", and the "read and write account restrictions" permissions. Then click next to finish.

    Hope this helps.

    Best Regards,

    Yan Li

    Yan Li

    TechNet Community Support

    Monday, December 19, 2011 8:06 AM
  • Thank you for all of your help, I found that there was a SID that was associated with the OU. It was no longer attached to an user, so I deleted it and everything worked.
    There is always a way...
    Monday, December 19, 2011 9:05 PM