We allow the IT services in other countries to manage certain parts of their AD/OU via Delegate Control. Under one Country OU, the delegate rights to edit Account Options are no longer working. This affects their ability to set "User must change password at next logon", "user cannot change password", and "password never expires", etc. It fails on a permissions error, and creates the user account object as disabled. As far as we can tell, nothing has changed on our side. I have looked in Group Policy and I didn't see anything set on that specific OU, just the minimum & maximum password age (min 1 max 60, part of default domain policy). This is my first foray into the horrible world of delegated control, so I apologize if I have listed anything that isn't relevant.
Can anyone please help me to understand why they would no longer be able to perform the tasks mentioned? I have created my own group and set delegate access on the same OU, with the same outcome. Here are some of the tests I did:
Test 1
They have the following permissions:
Reset password
Read accountExpires
Write accountExpires
Read lockoutTime
Write lockoutTime
Read pwdLastSet
Write pwdLastSet
Read userAccountControl
Write userAccountControlfor the following object types: USER
Test 2
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Modify the membership of a groupfor the following object types: USER
Test 3
Change password
Reset password
Read and write account restrictions
Read accountExpires
Write accountExpires
Read expirationTime
Write expirationTime
Read lockoutTime
Write lockoutTime
Read Member Of
Write Member Of
Read pwdLastSet
Write pwdLastSet
Read userAccountControl
Write userAccountControlI also set auditing on the specific OU for a specific user in an attempt to catch a log of the failure to set password as never expire but so far I haven't been able to find a trace of it.
From my own research, it looked like I had all the bases covered. I have seen it mentioned to check the replication but I am not 100% sure how to do that. Can someone help, please?
Thanks, Zak