Hi there,
we have a root domain (i.e. company.de) with some subdomains (i.e. lab.company.de & prod.company.de). Our admins (they are all created in prod.company.de) have the right to reset passwords in the subdomain (lab.company.de).
When the admins are using the dsa.msc console search feature and select "Find [Users, Contacts, and Groups] in [Entire Directory]", they are not allowed to reset the password of users in die lab.company.de domain.
Error message: access denied
When the same admin uses "Find [Users, Contacts, and Groups] in [lab.company.de]", he is allowed to reset the password without any error message.
Works as design or bug? Couldn't find further informations about this strange behavior.