Lost in delegation …

Reading Time: 2 minutes

Flying over Europe to Dublin I’ve decided to take some time and write a bit about a delegation discussion I had recently with my customer. To be specific about delegating to a user right to set “User must change password at next logon” flag in ADU&C console.

(cc) Stillframe

I was asked about this task by one of my favorite clients and as it was easy to solve I took a task to prepare delegation guidelines for them on this one. You can delegate this right at a OU level right to update pwdLastSet attribute can be delegated to user. Setting this attribute to value of 0 will effectively expire user password and force him to change this at a next logon.

Simple and easy. However playing with it for a moment I tried to delegate only right to manage this setting without other rights, especially without right to reset password. OK – so with ACLs which allows a user to set this attribute and reset password:

nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[CTL];Reset Password;user;<SID>
nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP][WRT PROP];pwdLastSet;user;<SID>

we can set pwdLastSet to a proper value without any problem:

***Call Modify…

ldap_modify_ext_s(ld, 'CN=jan jan,OU=TEst USers,DC=w2k,DC=pl',[1] attrs, SvrCtrls, ClntCtrls);

Modified "CN=jan jan,OU=TEst USers,DC=w2k,DC=pl".

However when “Reset password” riht will get revoked:

nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[READ PROP][WRT PROP];pwdLastSet;user;<SID>

and we will try to perform this operation it will fail:

***Call Modify…

ldap_modify_ext_s(ld, 'CN=jan jan,OU=TEst USers,DC=w2k,DC=pl',[1] attrs, SvrCtrls, ClntCtrls);

Error: Modify: Insufficient Rights. <50> Server error: 00000005: SecErr: DSID-031A1169, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Error 0x5 Access is denied.

 

It you will think about it few seconds it completely makes sense. Why somebody would want to delegate this right without allowing the same user to reset password.
But if one would want to use it in this way it is worth to memorize that it can’t be done. pwdLastSet might be modified only by system or user, but user has to have also delegated right for Reset password operation.

And as always KB articles are handy when you finish what you have just tried to check. In this particular case it is  KB 296999. However it doesn’t clearly state that You can’t delegate right to pwdLastSet separately.