9/13/2013 6:10:25 AM
If you've installed Password Reset Server (PRS) you'll know you have to create a service account for PRS within AD to access user accounts you wish to have self-service password reset access with the following specific permissions:
>Object>Descendant User objects>Change Password
>Object>Descendant User objects>Reset Password
>Properties>Descendant User objects>Write lockoutTime
>Properties>Descendant User objects>Read pwdLastSet
The instructions clearly explain where to set these permissions within AD (either at the domain root, or at specific OUs as required) and ensure they are set to be inherited by child objects.
Now I've hit upon a snag. During demos I've found PRS fails to unlock my account, or allow me to reset my password, and I find that my account has "Include inheritable permissions from this object's parent" un-ticked, even though I have previously set this flag.
Now I've finally found the reason this keeps getting reset, and it's a good one!
Microsoft have built protection into Active Directory so you can't lock yourself out as an admin by denying or losing permissions to objects. Every 40-60 minutes, objects with an admin-bit set have their inheritance disabled to protect from fools messing where they shouldn't!
I first read about this here: http://davesimm.blogspot.co.uk/2011/02/lync-enabling-or-making-lync-changes-to.html
with further reading linked by Dave to http://enterpriseadminanon.blogspot.co.uk/2009/05/that-admincount-adminsdholder-and.html and http://support.microsoft.com/kb/817433
So I will now apply these permissions to individual users account who have the admin bit set, so do have inheritance blocked by AD.
This will prove to be time consuming as we have a large number of users who fit this scenario.
In light of this, I'll investigate some PowerShell script to apply this permissions, hopefully to all objects within a specific OU so I don't have to pass each inidividual object name manually.