1

Hello i created taskpads for remote admins to reset passwords for folks at their site.I created a group for admins and gave delegation on site OU. The problem is for doing "force change password on next logon", there are certain permissions on user objects which needs enabled. So i enabled "ReadPWDLastSet" and "WritePWDLastSet" as well as "Password Reset" on user objects for admin group. Unfortunately when the right click on the user, the "User must change password on next logon" is greyed out, but in User Properties->Account tab, "User must change password on next logon" is not greyed out and they can select it. Why is it happening what attributes they need to have it enabled when they do "Right Click and reset password.".

Sorry if question is too long, but let me know of any clarifications needed.Thank you.

Darktux
  • 827
  • 5
  • 20
  • 36
  • That's an interesting one, both actions must set the same attribute on the account. Is the user cannot change password attribute set maybe? Either way you would have thought that it would be consistently represented. – john Jul 03 '13 at 18:20
  • 1
    There is this too, this all sounds quite familiar to me... http://support.microsoft.com/kb/832481 – john Jul 03 '13 at 18:24
  • Hope you don't mind me adding this as an answer so you can flag it as correct?? I know you already added yourself. – john Jul 03 '13 at 21:29
  • @John , marked yours answer. – Darktux Jul 12 '13 at 13:25

2 Answers2

4

I just want back and verified this on a Windows Server 2003 Standard SP2 x86 VM. I did the following and got satisfactory results:

  • I created a top-level OU in my domain, "Test"
  • In that OU I created a user "Test1"
  • I created a test user "PWReset" in the default "Users" container
  • I used the "Delegate Control" wizard to delegate "Reset user passwords and force password change at next logon" to the "PWReset" user

Once I did this I opened a copy of "Active Directory Users and Computers" as the "PWReset" user and found that I was able to reset the "Test1" user's password and tick the box "User must change password at next logon" box.

If you're going to do the Delegation "by hand" you also need to grant the object permission "Reset Password" on "User" objects to the delegated principal along with the properties permission to allow "Read pwdLastSet" and "Write pwdLastSet". Personally, I'd just use the wizard.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Evan all the 3 permissions needed "Read PwdLastSet", "WritePwdLastSet" and "Reset Password" are available to site admins via OU delegation , but they only can find "force password change..." in Properties -> Account tab and not on "Rightclick -> PAssword reset" box. Probably its the difference of using Taskpads vs DSA.msc? – Darktux Jul 03 '13 at 21:07
  • When I have some time I'll try a taskpad and report back. (Actually, if you don't mind emailing me your .MSC file it would be helpful. You can get my email from a link in my SF profile.) – Evan Anderson Jul 03 '13 at 21:11
  • Got it, just read the article shared by John , its actually a bug in Windoes 2003 R2 :( ; please take a look at this http://support.microsoft.com/kb/832481 ; thanks for your effort Evan. – Darktux Jul 03 '13 at 21:14
  • @Darktux - I'm not so sure about that, though. Can you verify the version of the `dsadmin.dll` on your machine? I'm seeing that mine is newer than the hotfix version. Did you find that the hotfix actually resolved the issue? I'd still be interested in getting a copy of your Taskpad if you don't mind sending it. – Evan Anderson Jul 03 '13 at 21:59
  • Sorry Evan , i couldnt copy the msc file from the isolated domain , i need to use personal USB which is not allowed here; but the fix worked for me great since most of those machines are XP SP1. – Darktux Jul 12 '13 at 13:38
  • Oh, wow! XP Service Pack 1. Wow. That would be a fun network to pentest-- though probably a little too easy. – Evan Anderson Jul 12 '13 at 14:04
2

There is a bug in Server 2003 that causes this to happen. The a MS KB article that fixes exactly the problem you are describing. If you have already obtained the relevant service pack, then perhaps @EvanAnderson's answer would help you out.

http://support.microsoft.com/kb/832481

john
  • 1,995
  • 1
  • 17
  • 30
  • Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – EEAA Jul 03 '13 at 22:00
  • Hmmm... Shame to get downvoted for that, since there's little more to add. But I will update the answer with the essential points. – john Jul 04 '13 at 07:08