Minimum permissions are needed for a delegated administrator to force password change at next logon procedure (296999)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
This article was previously published under Q296999

SYMPTOMS

By default, when you, as the administrator, delegate the ability to reset passwords to a user or group by using the Delegation of Control Wizard, that user or group does not have the permission to force a user, for whom the password has been reset, to change their password the next time that the user logs on. If the user to whom you give the permission to reset passwords right-clicks a user account, clicks Reset Password, and then clicks to select the User must change password at next logon check box, the latter user's password is reset, however, this user is not forced to change their password the next time that this user logs on.

CAUSE

This behavior occurs because the user does not have the required minimum permission that is necessary to set the User must change password at next logon option, which is the Write Account Restrictions permission on user objects. When you delegate the ability to reset passwords, the only permission that is granted over the delegated container is the Reset Password permission on user objects.

RESOLUTION

You can use the Delegation of Control Wizard to delegate the Reset Password permission to the delegated user. Whereas, in order to change the "User must change password on next logon" flag, the delegated user must have write permission to the user containers. However, the write permission provides the delegated user with additional permissions. In other words, the Write Account Restrictions permission is a super permission that provides access to some other user properties. The pwdLastSet property can be used to force the user to change their password at next logon. By default, the individual permissions are not visible. The filtering of the permissions is controlled by values in the Dssec.dat file. To resolve this issue, you can use the following steps to delegate permissions for only the Reset Password and pwdLastSet property to a user-defined group named Help Desk.
  1. Disable the filter for the user permissions:
    1. Click Start, click Run, type Dssec.dat in the Open box, and then click OK.
    2. Click Open With, click Notepad, and then click OK.
    3. In the [User] section, edit the pwdLastSet value by changing pwdLastSet=7 to pwdLastSet=0.
    4. Quit Notepad.
    Note Do not change the value of pwdLastSet in the [Computer] section. By default, the pwdLastSet value does not exist in the [User] section of the Dssec.dat file on Windows Server 2003. Therefore, if you are running Windows Server 2003, you need to add it manually.
  2. Delegate the permissions to the Help Desk group:
    1. Click Start, click Run, type dsa.msc in the Open box, and then click OK.
    2. Right-click the organizational unit to which you want to delegate permissions, and then click Delegate Control.
    3. Click Next, and then click Add.
    4. Click Help Desk, click Add, and then click OK.
    5. Click Next, check Create a custom task to delegate, and then click Next.
    6. Click Only the following objects in the folder, click to select the User objects check box, and then click Next.
    7. Click to select the General and the Property-specific check boxes.
    8. Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permission box.
    9. Click Next, and then click Finish.
  3. Enable the filter for the user permissions:
    1. Click Start, click Run, type dssec.dat in the Open box, and then click OK.
    2. Click Open With, click Notepad, and then click OK.
    3. In the [User] section, edit the pwdLastSet value by changing pwdLastSet=0 to pwdLastSet=7.
    4. Quit Notepad.
Additionally, if you want to verify the security changes, you can follow these steps:
  1. Click Start, click Run, type dsa.msc, and then click OK.
  2. On the View menu, select Advanced Features.
  3. Right-click the organizational unit that you delegated permissions to and then click Properties.
  4. Click on the Security tab, click the Help Desk group, and then click Advanced.
  5. Click Read/Write Property on the Permission Entries, and then click View/Edit.
  6. You can see that only the Read pwdLastSet and the Write pwdLastSet properties are set to Allow, but the Help Desk does not have access to any other properties.

MORE INFORMATION

For additional information about delegating permissions, click the article numbers below to view the articles in the Microsoft Knowledge Base:

235531 Default Security Concerns in Active Directory Delegation

229873 Delegate Control Wizard Cannot Be Used to Remove Groups or Users

296490 How to modify the filtered properties of an object

Modification Type:MinorLast Reviewed:1/27/2006
Keywords:kbACL kbprb KB296999 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.