2

I am using an ssh client to log into a server to issue password change commands from the prompt. The problem occurs when attempting this on the domain server. I log in using an admin account (not THE administrator account) and attempt to change the password for a user (net user UserName password /domain) and I get the following error:

System error 5 has occurred.

Access is denied.

Now if I log in using the Administrator account the command completes successfully. So there must be some policy or security permission somewhere that allows the administrator account to do what the admin account cannot. I compared groups and the admin account is part of all the necessary groups. Any input as to where this might be located?

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Tried logging in as the user and still get the same error so it is not a cygwin thing but a Windows thing. I tried copy the administrator account into a new account and tried the same commands and still get access denied which tells me it is something defined in a policy or something similar since the copy has the exact same group assignments as the original. Even tried using dsmod and it gives a different error but same result. –  Jul 08 '09 at 19:28
  • Nev - I changed the commands slightly to include your admin account credentials - can you try that? – Izzy Jul 08 '09 at 22:01
  • To add a wrinkle. I can create an admin account, login using that account and change users through the mmc snap-in for active directory users and computers, however if I go to a command prompt and use "net user" or "dsmod" then I get the access denied error. –  Jul 23 '09 at 15:16
  • FWIW - I have the same problem on Server 2008, with a local user. As the Administrator, I can use "net user" As a new user, in the Administrators group, I get "access denied" – Chris Vesper Jan 17 '12 at 21:20

5 Answers5

2

Even though you say you checked the group memberships, it really sounds like your "admin" account doesn't have the same group memberships as the "Administrator" account.

The Windows "whoami.exe" (not the Cygwin whoami) with the "/ALL" parameter will show you each user's group memberships so that you can compare them.

(In theory, it would be possible to modify the permissions of user objects in AD to deny the "admin" user rights to change their password while still having "admin" be members of the same groups as "Administrator", but I think that's highly unlikely.)

To rule out anything to do with the cygwin SSH altogether, why not logon locally to the server comuter with the "admin" credential and try your "NET USER" from an NT command prompt?

Edit:

There really isn't any kind of group policy setting that affects the ability to change passwords, per se. If your "admin" account is a member of "Enterprise Admins" it should be able to reset the password of any other account in the Active Directory. Like I said above, there are "tweaks" that one could have made to AD that would change that behaviour, but I find it highly unlikely that any of that would've been done. I think that something else is happening.

If you don't have failure auditing of account management events enabled, now is a good time to either create a new GPO linked to your "Domain Controllers" OU (the preferred) or to modify your "Default Domain Controllers" GPO (not preferred-- you really shoild leave this GPO "stock) and turn on account management event failure auditing. Dig down into "Computer Configuration", "Windows Settings", "Security Settings", "Local Policies", and "Audit Policy" and enable failure auditing on "Account management".

Run a "gpupdate" on your domain controller comptuers, try your "NET USER" again, and examine the Security Event Log on all your DC's to see which one is recording the failed password change.

I'm keen to figure out what's going on. Like I said, I expect that it's something simple that's being overlooked... We'll see...

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I tried that and nothing is getting logged on failure, even though I am still getting the access denied message. I even tried setting to log on success and failure and nothing is logged at all for account management. –  Jul 13 '09 at 16:54
1

The first admin account, does it have Domain Admin or Account Operator group membership within the domain? Or does it have delegated right to reset password on the user account? Since you're specifying /domain, the change is being made against a domain user account, so the rights will need to be at the domain level.

K. Brian Kelley
  • 9,034
  • 32
  • 33
1

After many years trying to track down this sort of problem, these days if I want to create an "admin" account I always do it by copying the Administrator account. In AD Users and Computers right click the Administrator account and choose "Copy". Saves much time!

Whether it's good practice to have multiple admin accounts is debatable of course ...

JR

John Rennie
  • 7,776
  • 1
  • 23
  • 35
0

Your network account may be a local administrator to the machine, but you it is probably not in the Account Operator group. With the /domain switch you don't even have to run it on the actual server, just issue it from a command prompt with the appropriate credentials from any computer in the domain.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
0

Net User? Ewwww. You should be using DSMOD.

DSMOD user userDN -pwd newPassword -d yourDomain.loc -u yourDomain\yourAdminUserAcct

If you don't know what the userDN is, use this:

DSQUERY user -name userName -d yourDomain.loc -u yourDomain\yourAdminUserAcct

If you want to get fancy, you can pipe the result of the DSQUERY straight into the DSMOD, like so:

DSQUERY user -name userName -d yourDomain.loc -u yourDomain\yourAdminUserAcct | DSMOD user -pwd newPassword -d yourDomain.loc -u yourDomain\yourAdminUserAcct

If you want to set the User Must Change Password At Next Logon flag, then add -mustchpwd yes to the DSMOD argument string, like so:

DSQUERY user -name userName -d yourDomain.loc -u yourDomain\yourAdminUserAcct | DSMOD user -pwd newPassword -d yourDomain.loc -u yourDomain\yourAdminUserAcct -mustchpwd yes
Izzy
  • 8,224
  • 2
  • 31
  • 35
  • I think the length of your DSQUERY / DSMOD command lines speaks to why a lot of us still use NET USER for simple things like password resets. I definitely use DSMOD when I need to change something in another domain (which is fairly rare) or when I need to do fun things like merge two groups together. For a simple password reset in a single domain environment, typing "NET USER samAcccountName newpassword" is just faster. – Evan Anderson Jul 08 '09 at 21:50
  • Now you're just following me around?! ;) Fair comment. I've been living in the painful world of multiple domain organisations for a few years. One thing though - would not providing the credentials (as you can in DSMOD with the -u yourDomain\yourAdminAccount) be a workaround for the problem he's having here? I edited and added those parts after he said he tried it – Izzy Jul 08 '09 at 22:02
  • I'm not so much following you around as generally following all of Server Fault around. >smile< I'm not sure re: the credentials, what w/ not knowing the underlying problem he's having. – Evan Anderson Jul 08 '09 at 23:44
  • I try: DSMOD user "CN=Test User,OU=Users,DC=MyDomain,DC=com" -pwd ResetPass123! -d MyDomain.com -u Mydomain\Administrator -p AdminPassword And get logon attempt failed even though all the credential supplied are correct. –  Jul 09 '09 at 20:12