Yep that looks good, assuming
that the user object inherits that ACE (doublecheck with dsacls on the actual
user object) and that the user attempting to make the change has the group in
their token (doublecheck with whoami /groups or sectok) then they should be able
to change the password fine with LDAP based mechanisms. NET API mechanisms will
still fail because they don't understand delegation though and you need to be
aware of that. However, delegating straight to a userid would not overcome the
NET API limitation.
If someone says they can't delegate to a group but
can to a user, the issue is usually either the delegation wasn't done properly
for the group or the group membership is not in effect for whatever reason which
could be replication latency, not getting a new security token,
etc.
Anyway, I just delegated exactly as you indicated in my test forest
and was able to successfully change the password.
C:\>whoami /groups
[Group 1] =
"JOE\Domain Users"
[Group 2] = "Everyone"
[Group 3] =
"BUILTIN\Users"
[Group 4] = "NT AUTHORITY\INTERACTIVE"
[Group
5] = "NT AUTHORITY\Authenticated Users"
[Group 6] =
"LOCAL"
[Group 7] = "JOE\Password
Managers"
C:\>admod -b
CN=testuser,OU=pwdrst,OU=TestOU,DC=joe,DC=com unicodepwd::Somepassword
-kerbenc
AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June
2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified
objects...
DN:
CN=testuser,OU=pwdrst,OU=TestOU,DC=joe,DC=com...
The command completed
successfully
C:\>adfind -b ou=pwdrst,ou=testou,dc=joe,dc=com -s
base ntsecuritydescriptor -sddl+ -resolvesids
AdFind V01.31.00cpp Joe
Richards ([EMAIL PROTECTED]) March 2006
Using server:
2k3dc01.joe.com:389
Directory: Windows Server
2003
dn:ou=pwdrst,ou=testou,dc=joe,dc=com
>nTSecurityDescriptor:
[OWNER] JOE\Domain Admins
>nTSecurityDescriptor: [GROUP] JOE\Domain
Admins
>nTSecurityDescriptor: [DACL]
AI
>nTSecurityDescriptor: [DACL] OA;CIIO;CR;Reset
Password;user;JOE\Password Managers
>nTSecurityDescriptor: [DACL]
OA;;CCDC;inetOrgPerson;;BUILTIN\Account Operators
>nTSecurityDescriptor:
[DACL] OA;;CCDC;computer;;BUILTIN\Account Operators
>nTSecurityDescriptor:
[DACL] OA;;CCDC;group;;BUILTIN\Account Operators
>nTSecurityDescriptor:
[DACL] OA;;CCDC;printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor:
[DACL] OA;;CCDC;user;;BUILTIN\Account Operators
>nTSecurityDescriptor:
[DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;JOE\Domain
Admins
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\ENTERPRISE
DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT
AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL]
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor:
[DACL] OA;CIID;WP;groupType;;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL] OA;CIID;WP;displayName;;JOE\Exchange
Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIID;WP;Public
Information;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL]
OA;CIID;WP;Personal Information;;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL] OA;CIIOID;RP;tokenGroups;computer;NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL]
OA;CIIOID;RP;tokenGroups;group;NT AUTHORITY\ENTERPRISE DOMAIN
CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIOID;RP;tokenGroups;user;NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORC;;inetOrgPerson;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORC;;user;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORCWD;;group;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORC;;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible
Access
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORC;;group;BUILTIN\Pre-Windows 2000 Compatible
Access
>nTSecurityDescriptor: [DACL]
OA;CIIOID;LCRPLORC;;user;BUILTIN\Pre-Windows 2000 Compatible
Access
>nTSecurityDescriptor: [DACL] A;CIID;LC;;;JOE\Exchange Enterprise
Servers
>nTSecurityDescriptor: [DACL]
A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;JOE\Enterprise
Admins
>nTSecurityDescriptor: [DACL] A;CIID;LC;;;BUILTIN\Pre-Windows 2000
Compatible Access
>nTSecurityDescriptor: [DACL]
A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BUILTIN\Administrators
>nTSecurityDescriptor:
[SACL] AI
>nTSecurityDescriptor: [SACL]
OU;CIIDSA;WP;gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor:
[SACL] OU;CIIDSA;WP;gPOptions;organizationalUnit;Everyone
1
Objects returned
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Oliver Marshall
Sent: Tuesday, May 02, 2006 8:36 AM
To:
[email protected]
Subject: RE: [ActiveDir] ResetPassword perm and
groups
Heres the dump of the acl for one of the OUs im looking at. I have
changed the usernames to protect the innocent, but the group in question is
called "Password Managers";
Effective Permissions on this object
are:
Allow NT AUTHORITY\Authenticated
Users SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST OBJECT
Allow MYDOMAIN\Domain
Admins
FULL CONTROL
Allow NT
AUTHORITY\SYSTEM
FULL CONTROL
Allow
BUILTIN\Administrators
SPECIAL ACCESS
<Inherited from
parent>
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL ACCESS
Allow MYDOMAIN\Enterprise
Admins
FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange
Enterprise Servers SPECIAL
ACCESS
<Inherited from
parent>
LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS <Inherited from
parent>
LIST CONTENTS
Allow BUILTIN\Account
Operators
SPECIAL ACCESS
for
group
CREATE
CHILD
DELETE CHILD
Allow BUILTIN\Account
Operators
SPECIAL ACCESS
for
user
CREATE
CHILD
DELETE CHILD
Allow BUILTIN\Account
Operators
SPECIAL ACCESS
for
computer
CREATE
CHILD
DELETE CHILD
Allow BUILTIN\Print
Operators
SPECIAL ACCESS
for
printQueue
CREATE
CHILD
DELETE CHILD
Allow
MYDOMAIN\USER2
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Password
Managers
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow
MYDOMAIN\USER1
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
Public Information <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
Personal Information <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
groupType <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
displayName <Inherited from
parent>
WRITE PROPERTY
Allow
TRUSTED_DOMAIN\USER3
SPECIAL ACCESS
for gPOptions <Inherited from
parent>
WRITE
PROPERTY
READ PROPERTY
Allow
TRUSTED_DOMAIN\USER3
SPECIAL ACCESS
for gPLink <Inherited from
parent>
WRITE
PROPERTY
READ PROPERTY
Permissions inherited to subobjects are:
Inherited to
all subobjects
Allow
BUILTIN\Administrators
SPECIAL ACCESS
<Inherited from
parent>
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL ACCESS
Allow MYDOMAIN\Enterprise
Admins
FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange
Enterprise Servers SPECIAL
ACCESS
<Inherited from
parent>
LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL
ACCESS <Inherited from
parent>
LIST CONTENTS
Allow
MYDOMAIN\USER2
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Password
Managers
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow
MYDOMAIN\USER1
SPECIAL ACCESS
for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
Public Information <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
Personal Information <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
groupType <Inherited from
parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL ACCESS
for
displayName <Inherited from
parent>
WRITE PROPERTY
Allow
TRUSTED_DOMAIN\USER3
SPECIAL ACCESS
for gPOptions <Inherited from
parent>
WRITE
PROPERTY
READ PROPERTY
Allow
TRUSTED_DOMAIN\USER3
SPECIAL ACCESS
for gPLink <Inherited from
parent>
WRITE
PROPERTY
READ PROPERTY
Inherited to user
Allow NT
AUTHORITY\SELF
SPECIAL ACCESS for
description <Inherited from
parent>
WRITE PROPERTY Inherited to group Allow BUILTIN\Pre-Windows 2000 Compatible
Access SPECIAL ACCESS <Inherited from
parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST OBJECT Inherited to user Allow BUILTIN\Pre-Windows 2000 Compatible
Access SPECIAL ACCESS <Inherited from
parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST OBJECT Inherited to group
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL
ACCESS
<Inherited from
parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST OBJECT Inherited to user
Allow MYDOMAIN\Exchange Enterprise
Servers SPECIAL
ACCESS
<Inherited from
parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST OBJECT
Allow
MYDOMAIN\USER1
Reset Password
Allow MYDOMAIN\Password
Managers
SPECIAL ACCESS
for
pwdLastSet
WRITE PROPERTY
Allow MYDOMAIN\Password
Managers
Reset Password
Allow
MYDOMAIN\USER2
Reset Password
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
