Admin accounts not able to change their own password, also noted that “Domain Admins” group had inheritance enabled (which is wrong).
Checking at the AdminSDHolder permissions there is no everyone group there and worst thing is that inheritance was enabled (that’s the reason why Domain Admins has inheriting enabled and unable to change their password).
How to restore the adminSDholder permissions?
NOTE: I tried to reset it with dsacls tool, but it's not the same thing.
-
Unsolved How to restore AdminSDHolder permissions?
-
I'm testing this on a Server 2016 machine:
- open
ADSI Edit - connect to your naming context
- expand the container beneath default naming context
- expand on
CN=System - right click on
CN=ADminSDHolder, select Properties. - Click on
Securitytab; click onAdvancedButton - On
Permissionstab, click onRestore Defaults.
This should do it for you.
If you have inheritance turned on you'll have issues.Cordially,
Ronnie Wong
Edutainer Manager, ACI Learning [ITPRO]
*if the post has answered the question, mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV. - open
