PowerShell/ADSI Permission Issue with AD related tasks


I'm working on a PS script that will give users a GUI & a few buttons to click to do some basic tasks such as unlocking an account, enabling/disabling, changing passwords and killing processes / logging user off. The parts that do NOT work are : enable/disable users and change passwords.

First of all, everything works as a domain admin but I can not make the user a domain admin, so please do not suggest that :)

Here's the change password part:

    $name = "osman"
    $Searcher = [ADSISearcher]"(sAMAccountName=$Name)"
    $Results = $Searcher.FindOne()
    $password = "pezevenk@321"

    [string]$adspath = $Results.Properties.adspath
    $enable = [ADSI]$adspath
    $enable.psbase.invoke("SetPassword", $password)

The Error is pretty generic:

Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
At line:14 char:13
+             $enable.psbase.invoke("SetPassword", $password)

Now, obviously, I've tried to give proper permissions to the user before even I attempted this: The user I'm running this with has the "reset password" and "change password" rights delegated on the "Users" folder in AD which includes all the users.

Is there any way to see exactly what permission I'm missing? Can you guys think of anything else that is required?

Edit: These are the permissions for the OU:

"CN=Users,DC=domainname,DC=root,DC=com","All","User","ReadProperty, GenericExecute","Descendents","00000000-0000-0000-0000-000000000000","bf967aba-0de6-11d0-a285-00aa003049e2","InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","Pwd-Last-Set","User","ReadProperty, WriteProperty","Descendents","bf967a0a-0de6-11d0-a285-00aa003049e2","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","Lockout-Time","User","WriteProperty","Descendents","28630ebf-41d5-11d1-a9c1-0000f80367c1","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Account-Control","User","WriteProperty","Descendents","bf967a68-0de6-11d0-a285-00aa003049e2","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Force-Change-Password","User","ExtendedRight","Descendents","00299570-246d-11d0-a768-00aa006e0529","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Change-Password","User","ExtendedRight","Descendents","ab721a53-1e2f-11d0-9819-00aa0040529b","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","False","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Change-Password","User","ExtendedRight","Descendents","ab721a53-1e2f-11d0-9819-00aa0040529b","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","True","ContainerInherit","InheritOnly"
"CN=Users,DC=domainname,DC=root,DC=com","User-Force-Change-Password","User","ExtendedRight","Descendents","00299570-246d-11d0-a768-00aa006e0529","bf967aba-0de6-11d0-a285-00aa003049e2","ObjectAceTypePresent, InheritedObjectAceTypePresent","Allow","domainname\osman","True","ContainerInherit","InheritOnly"
asked on Server Fault Mar 24, 2015 by user2629636 • edited Mar 25, 2015 by user2629636

3 Answers


You can edit the original AD.msc and add functionality as you like.
Here are some links:
Custom AD console
Right Click password reset
Right Click Unlock
Add additional columns

answered on Server Fault Mar 25, 2015 by EliadTech

The only way I know of for a user to set their own password is this command. Set-ADAccountPassword -Identity $Name -Reset -NewPassword (ConvertTo-SecureString $Password -AsPlainText -force) -PassThru It will prompt them for their current password or if you leave out NewPassword it will prompt for both. If you are trying to give a helpdesk type person these rights make sure you are not testing on an administrative account since they will never be able to change the password on an administrative user they are protected with the attribute adminCount = 1. I have successfully allowed help desk personnel to change passwords in ADUC with change password permission on the user OU. We ended up buying a product to allow users to reset their own passwords. I know it doesn't exactly answer your question but I hope some of this information helps.

answered on Server Fault Mar 24, 2015 by Xerolooper

I've noticed the problem: The destination user "osman" I was testing this on was a domain admin and apparently, domain admins do not inherit delegation (no idea why, not documented as far as I can see). All other non-admins work just fine! Thanks for all you suggestions.

answered on Server Fault Mar 25, 2015 by user2629636

User contributions licensed under CC BY-SA 3.0