Support staff can reset some User passwords but not all?
In our environment we have two AD-accounts per person, one user level account and one admin level account.
Our support-staff can only reset user level accounts, which is good but I can't figure out why. This is the ADUC permissions on top domain:
What can be causing them to not be able to reset admin-accounts? The admin accounts are not part of any global admin group (Domain Admins etc).
Is it possible that they were once part of the Domain Admins group?
If so, inheritance of permissions from OU would be disabled on them and you would have manually to reactivate it.
+0 – Yes, in fact they were! I can now see on the user objects security tab that the support staff doesn't have permission to reset. What's the easiest approach to delegate this? Because newer admin accounts will not be part of DA at any point so I wan't to make this standard and only if your account is in a certain group you can reset admin passwords. Do I need to add a group on every account? — Jul 07, 2022 at 12:33
+1 – Open the user and go to the Security Tab. Klick on Advaned. If it says "Enable inheritance" in the bottom left corner, it is disabled. If you haven't set some permissions manually on these users, you should just be able to enable it again. I would compare the permissions with these of the OU first to be sure there won't be something missing afterwards. — Jul 07, 2022 at 12:40
+0 – As I don't know the history of your AD, I can't tell you 100% what to do. Once inheritance is enabled on any users again, you would be able to give permissions to change passwords on an OU. Maybe start with one user at the time ;) — Jul 07, 2022 at 12:45
+2 – So I have now created a specific group to handle ADM-accounts, and kept the disabled inheritence on the OU where the admin accounts are located. Thanks for the help! — Jul 07, 2022 at 13:50