Hello,
I have a problem with the Active Directory delegation, more specifically with set and reset user account passwords.
I have 2 different forests (let's call them domain 1 and domain 2), I created an external trust, 1 way with SID filter is enable and domain-wide authentication and it works fine as expected.
I have few users in domain 1 that I want to be able to have full control in active directory for the other domain 2, so I created a local sec group in domain 2 and add the users in there.
I run the delegation of control wizard and assign full permission to the local group. I can create and manage almost everything but not password. When I create a new user I have a warning "the password for user1 cannot be set due to insufficient privileges. Windows will attempt to disable this account..." and the account get disabled.
If I try to reset the password for the same user I got "windows cannot complete the password change for user1 because: Access is denied".
Now, it is from few days that I am trying to troubleshoot that, this is what I tried:
- I tryied to give permission directley to the user in the other forest/domain, full control or just manage users and password, same result
- Event viewer do not show any errors, I was looking for event id 4724 and 4725 but nothing went logged here for the user in the other domain
- I make sure the permissions get applyed correctley: I check the ADUC, under properties, security and advance and make sure it is all selected, I checked the permissions with powershell dsacls and with LDP.exe; in any case the permissions are fine, set to full control and exactley the same as domain admins.
I suspect that there could be something that do not work to delegate users from different forests and I really get confued..
I hope that someone of you can help me on this