Yep that looks good, assuming that the user object inherits that ACE (doublecheck with dsacls on the actual user object) and that the user attempting to make the change has the group in their token (doublecheck with whoami /groups or sectok) then they should be able to change the password fine with LDAP based mechanisms. NET API mechanisms will still fail because they don't understand delegation though and you need to be aware of that. However, delegating straight to a userid would not overcome the NET API limitation.

If someone says they can't delegate to a group but can to a user, the issue is usually either the delegation wasn't done properly for the group or the group membership is not in effect for whatever reason which could be replication latency, not getting a new security token, etc.

Anyway, I just delegated exactly as you indicated in my test forest and was able to successfully change the password.


C:\>whoami /groups

[Group  1] = "JOE\Domain Users"
[Group  2] = "Everyone"
[Group  3] = "BUILTIN\Users"
[Group  4] = "NT AUTHORITY\INTERACTIVE"
[Group  5] = "NT AUTHORITY\Authenticated Users"
[Group  6] = "LOCAL"
[Group  7] = "JOE\Password Managers"

C:\>admod -b CN=testuser,OU=pwdrst,OU=TestOU,DC=joe,DC=com unicodepwd::Somepassword -kerbenc

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
   DN: CN=testuser,OU=pwdrst,OU=TestOU,DC=joe,DC=com...

The command completed successfully


C:\>adfind -b ou=pwdrst,ou=testou,dc=joe,dc=com -s base ntsecuritydescriptor -sddl+ -resolvesids

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003

dn:ou=pwdrst,ou=testou,dc=joe,dc=com
>nTSecurityDescriptor: [OWNER] JOE\Domain Admins
>nTSecurityDescriptor: [GROUP] JOE\Domain Admins
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;CR;Reset Password;user;JOE\Password Managers
>nTSecurityDescriptor: [DACL] OA;;CCDC;inetOrgPerson;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OA;;CCDC;computer;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OA;;CCDC;group;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] OA;;CCDC;printQueue;;BUILTIN\Print Operators
>nTSecurityDescriptor: [DACL] OA;;CCDC;user;;BUILTIN\Account Operators
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NT AUTHORITY\SYSTEM
>nTSecurityDescriptor: [DACL] OA;CIID;WP;groupType;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIID;WP;displayName;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIID;WP;Public Information;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIID;WP;Personal Information;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIIOID;RP;tokenGroups;computer;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIOID;RP;tokenGroups;group;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIOID;RP;tokenGroups;user;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORC;;inetOrgPerson;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORC;;user;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORCWD;;group;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORC;;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORC;;group;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIOID;LCRPLORC;;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CIID;LC;;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;JOE\Enterprise Admins
>nTSecurityDescriptor: [DACL] A;CIID;LC;;;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BUILTIN\Administrators
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CIIDSA;WP;gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] OU;CIIDSA;WP;gPOptions;organizationalUnit;Everyone



1 Objects returned





--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Oliver Marshall
Sent: Tuesday, May 02, 2006 8:36 AM
To: [email protected]
Subject: RE: [ActiveDir] ResetPassword perm and groups

Heres the dump of the acl for one of the OUs im looking at. I have changed the usernames to protect the innocent, but the group in question is called "Password Managers";


Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow MYDOMAIN\Domain Admins                       FULL CONTROL
Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
Allow BUILTIN\Administrators                      SPECIAL ACCESS
<Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow MYDOMAIN\Enterprise Admins                   FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS
<Inherited from parent>
                                                  LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS <Inherited from parent>
                                                  LIST CONTENTS
Allow BUILTIN\Account Operators                   SPECIAL ACCESS for
group
                                                  CREATE CHILD
                                                  DELETE CHILD
Allow BUILTIN\Account Operators                   SPECIAL ACCESS for
user
                                                  CREATE CHILD
                                                  DELETE CHILD
Allow BUILTIN\Account Operators                   SPECIAL ACCESS for
computer
                                                  CREATE CHILD
                                                  DELETE CHILD
Allow BUILTIN\Print Operators                     SPECIAL ACCESS for
printQueue
                                                  CREATE CHILD
                                                  DELETE CHILD
Allow MYDOMAIN\USER2                             SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\Password Managers                   SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\USER1                                SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
Public Information   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
Personal Information   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
groupType   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
displayName   <Inherited from parent>
                                                  WRITE PROPERTY
Allow TRUSTED_DOMAIN\USER3                             SPECIAL ACCESS
for gPOptions   <Inherited from parent>
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TRUSTED_DOMAIN\USER3                             SPECIAL ACCESS
for gPLink   <Inherited from parent>
                                                  WRITE PROPERTY
                                                  READ PROPERTY

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow BUILTIN\Administrators                      SPECIAL ACCESS
<Inherited from parent>
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow MYDOMAIN\Enterprise Admins                   FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS
<Inherited from parent>
                                                  LIST CONTENTS Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS <Inherited from parent>
                                                  LIST CONTENTS
Allow MYDOMAIN\USER2                             SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\Password Managers                   SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\USER1                                SPECIAL ACCESS for
msExchHideFromAddressLists
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
Public Information   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
Personal Information   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
groupType   <Inherited from parent>
                                                  WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS for
displayName   <Inherited from parent>
                                                  WRITE PROPERTY
Allow TRUSTED_DOMAIN\USER3                             SPECIAL ACCESS
for gPOptions   <Inherited from parent>
                                                  WRITE PROPERTY
                                                  READ PROPERTY
Allow TRUSTED_DOMAIN\USER3                             SPECIAL ACCESS
for gPLink   <Inherited from parent>
                                                  WRITE PROPERTY
                                                  READ PROPERTY

Inherited to user
Allow NT AUTHORITY\SELF                           SPECIAL ACCESS for
description   <Inherited from parent>
                                                  WRITE PROPERTY Inherited to group Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT Inherited to user Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS <Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT Inherited to group
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS
<Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT Inherited to user
Allow MYDOMAIN\Exchange Enterprise Servers         SPECIAL ACCESS
<Inherited from parent>
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow MYDOMAIN\USER1                                Reset Password
Allow MYDOMAIN\Password Managers                   SPECIAL ACCESS for
pwdLastSet
                                                  WRITE PROPERTY
Allow MYDOMAIN\Password Managers                   Reset Password
Allow MYDOMAIN\USER2                             Reset Password
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to