locked
Can powershell be used to provide a list of people with reset password ability? RRS feed

  • Question

  • We are trying to tighten our security, but thanks to the environment we are in this is a bigger task than it should be. As part of this I have been asked to get a list of users who have the ability to reset other users passwords. there are the obvious suspects, domain admins, service desk etc., but we also appear to have random people who can do this because of a requirement during test or development stages way back. Is there a way to get this, I looked at using powershell but there doesn't seem to be much out there to give me a pointer, things like ADManager+ do not work, when I try to search on permissions it sits there doing nothing then crashes so I have now turned to powershell.

    Is there a way to build a function using powershell that can do this or is there some third party cmdlet or app that will provide me this info?

    Any help gratefully accepted

    • Moved by Bill_Stewart Saturday, July 5, 2014 3:04 PM Question outside forum scope
    Wednesday, March 5, 2014 2:53 PM

All replies

  • By default operators and admins and object owners/managers are the only ones with this capability.

    What you want to to look for all ACEs with the password change set.  Here is an article on how this is set up

    http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

    Here is an article on how to analyze AD security.

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx

    You really should post in the Directory Services forum for more up to date info.


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, March 5, 2014 3:12 PM
    Wednesday, March 5, 2014 3:02 PM
  • You can, but you'll have to check the ACLs of at least every OU in your environment to generate that type of report.  Here's some basic code to list ACEs that allow the "Reset Password" extended right (but doesn't include "Full Control"; you'd have to search for those separately, if desired.)

    $user = Get-ADUser -Identity someUser -Property ntSecurityDescriptor
    
    $extendedRights = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
    $resetPasswordRight = '{00299570-246d-11d0-a768-00aa006e0529}'
    
    $user.ntSecurityDescriptor.Access |
    Where-Object {
        ($_.ActiveDirectoryRights -band $extendedRights) -eq $extendedRights -and
        $_.ObjectType -eq $resetPasswordRight
    }

    Wednesday, March 5, 2014 3:11 PM
  • I sounds to me like some users may have received the Reset Password delegated privilege.

    There's a TechNet wiki page, How to View or Delete Active Directory Delegated Permissions with a number of methods you could use to discover who has delegated control. One of the methods uses the QUEST AD PowerShell cmdlets



    • Edited by Jason Warren Wednesday, March 5, 2014 3:13 PM added the wiki link! :)
    Wednesday, March 5, 2014 3:11 PM
  • I originally posted in Directory Services and was advised to post here
    Wednesday, March 5, 2014 3:38 PM
  • I originally posted in Directory Services and was advised to post here

    And within minutes you received three excellent answers! :)

    Good advice from the Directory Services forum.


    Wednesday, March 5, 2014 3:42 PM
  • thanks, that appears to work, but only searches for a single users ability to reset passwords, given the number of users we have this method would take weeks to complete. I'll see if I can work out how to search the entire directory and return a list of users with this ability.

    Wednesday, March 5, 2014 3:44 PM
  • This gets you a quick scan of who has direct access.  It does not include builtin access.

    $paths=dir 'AD:\\dc=testnet,dc=local' -rec| %{$_.distinguishedname}
    $paths | %{get-acl $_} |
         Select -expand Access| 
         ?{$_.ObjectType -eq 'ab721a53-1e2f-11d0-9819-00aa0040529b'} |
         select IdentityReference -unique

    On a large domain it could take hours to run.

    You can change the AD:\\ path to pinto a specific OU to select smaller groups.


    ¯\_(ツ)_/¯

    Wednesday, March 5, 2014 3:44 PM
  • David's code above looks like quickest and shortest way to check. I would like to add that if the ObjectType is an empty GUID (and the ObjectFlags doesn't contain the ObjectAceTypePresent flag), and the rights include 'ExtendedRight', then all extended rights are allowed. That would mean you need to check his condition, plus the condition where 'ExtendedRight' has been granted with no limiting ObjectType. Maybe something like this in his where block:

    Where-Object {
        ($_.ActiveDirectoryRights -band $extendedRights) -and (-not ($_.ObjectFlags -band [System.Security.AccessControl.ObjectAceFlags]::ObjectAceTypePresent) -or ($_.ObjectType -eq $resetPasswordRight))
    }
    

    This isn't useful to you right now, but keep an eye on this module, because AD rights management (without the AD module) is being added in the next release (which could take anywhere from one to two weeks; most of the functionality is ready, but I've still got tons of testing to do).

    Wednesday, March 5, 2014 3:58 PM
  • thanks, that appears to work, but only searches for a single users ability to reset passwords, given the number of users we have this method would take weeks to complete. I'll see if I can work out how to search the entire directory and return a list of users with this ability.

    The script I posted will scan the whole directory.  If you do fund who has been delegated from this list you can backtrack.


    ¯\_(ツ)_/¯

    Wednesday, March 5, 2014 4:18 PM