May 11, 2018

Active Directory - Password Reset Delegation Audit using PowerShell

I have Test OU within example.com Active Directory. PWResetUser was delegated password reset permissions on that OU. However, delegated user can’t reset passwords for all accounts inside specified unit due to access denied errors. The PowerShell script below helps to identify the problematic user accounts.
./check-acl.ps1 -Identity "*PWResetUser" -OU "OU=Test,DC=example,DC=com"

Rights         User         Type Identity
------         ----         ---- --------
Reset Password Username1   Allow TEST\PWResetUser
Reset Password Username2   Allow TEST\PWResetUser
No Data        Username3 No Data No Data

As you can see Username3 has No Data. After checking security tab of user properties, I found the problem. It was due to disabled security inheritance on that user.

So after reenabling inheritance (or manually delegating password reset permission for PWResetUser), delegated user can reset password for Username3 as well. The report now looks better.
Rights         User       Type Identity
------         ----       ---- --------
Reset Password Username1 Allow TEST\PWResetUser
Reset Password Username2 Allow TEST\PWResetUser
Reset Password Username3 Allow TEST\PWResetUser

Script Syntax:


No comments:

Post a Comment