I am trying to delegate permission to my helpdesk technicians to allow them to reset user passwords in our Win2008 R2 AD. I've used the delegate control wizard in ADUC and am delegating the predefined permission "Reset user passwords and force password change an next logon" to a 'Helpdesk' AD group, which all of our helpdesk techs are members of. I'm delegating this permission on the default Users container in AD which all of our end user accounts are under.
I've manually connected to each DC using ADUC and run the delegation wizard to be doubly sure all DCs know about the delegation.
I have created a test AD user account in the default Users container. I set up a test Win7 virtual machine and joined it to the domain. Then I logged into this VM as one of the helpdesk users and tried to reset the test AD account's password from the command line:
net user testuser Somepassword1 /domain
This is the response I receive:
The request will be processed at a domain controller for domain mycompany.local.
System error 5 has occurred.
Access is denied.
The same command works fine for me if I run it on my computer while logged in as my domain admin account.
I checked a few other similar questions and it was suggested to examine the effective permissions, but I'm not sure how to go about doing so.
Best Answer
I would try it with Powershell rather than the net command, you will need to install the admin pack (RSAT) in your windows 7 VM and then in powershell