All,

I really need your help.  In our environment a strange thing is happening.  Help Desk has been delegated rights to reset all users password at the Domain level and Domain >Properties > Security > Advanced section shows that Help Desk has reset password capability.  Inheritance column shows not inherited.  Strange thing is when I re-delegate it works then it does not work after sometime. How do I check which GPO is turning this capability off?? I will really appreciate your help.

thanks,

Riba

I Believe this is the wrong Forum, since this forum is for FIM.

If this is a pure AD issues, you need to check all the GPOs that are applied to the root OU and\or the OU where users reside.  There is no easy way, except for looking at them one at the time and eyeball them

Indeed this is the wrong Forum but I think this is because of the AdminADHolder

See: http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/

I assume some of the Users are in Privileged Groups (like Admin) so the permissions are removed from them by a Service after some time.

/Peter

Peter,

I respectufylly disagree with you.

1. Riba says that the delegated access is being removed after some time. I don't think this has anything to do with the AdminADHolder.  In case of AdminADHolder, you cannot modify the object being protected ever, not for 10 minutes, not ever.

2. The delegated access is usually set at the root of the domain, or at the Users OU, which has all users.  Riba says that when she sets the access, it works - but it gets removed after a while.  I believe, as she suspects, this is a GPO.

In any event, AdminADHolder would not remover Delegated Access from OU where applied, it would only forbit anyone from making any changes to admin (priviledged) accounts where AdminADHolder is applied.

Lastly, nowhere Riba says the reset is done from FIM (That is why I said it is the wrong FORUM).  A helpdesk user can simply use ADUC to reset a user's password. This issue would happen either way, by the way. End result would not change.

As far as I remeber and have in my mind you can modify objects which are AdminSDholder protected, but there is a Service SDPROP that runs every 60min by default which checks the ACLs and resets them to the one which should apply and is set on the AdminSDHolder objects for that principal.

This article also describes that functionality, and I remember I ran into that issue a long time ago to.

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

Maybe a moderator can move that thread to the correct forum ???