Enabling uReset Password Reset for Active Directory Admin Accounts
The Specops Authentication Gatekeeper Server responsible for writing enrollment information and resetting passwords in AD runs as a low-privilege service account. By default it will not have reset passwords for admin accounts in Active Directory protected by adminSDHolder.
For issues with during enrollment see the following knowledge base article: https://specopssoft.com/knowledge-base/specops-ureset-8/enrolling-admin-accounts-troubleshooting-ad-permissions-issues-affecting-enrollment/
If you have already completed the steps to enable administrator enrollment and have successfully enrolled, you will still see the following error when attempting to reset your admin account password via uReset:
Unable to reset password due to missing permissions. Please contact your administrator to resolve this issue.
You will also find Event ID 2039 logged to the Specops event log in Windows Event Viewer
Log Name: Specops Source: Authentication Gatekeeper (Specops) Event ID: 2039 Level: Information Description: Failed to reset the password for user '12345678-90ab-cdef-1234-567890abcdef', the result code was 'ResetAccountNotAllowedToPerformReset'.
It is possible to extend Password Reset capabilities to admin accounts, however the decision to allow privileged AD accounts (such as domain admins, enterprise admins) to use self-service reset should be carefully considered. Specops will support this configuration; however we have intentionally left the required configuration as a manual process as it grants our software access to change the passwords of the most sensitive accounts in your Active Directory.
Confirm the Affected Account is an AD Admin
Prior to making this change we strongly recommend confirming it is absolutely necessary to grant access to AD admin accounts by confirming the user encountering this error is truly an AD admin (and not, for example, an account that was a former admin or has security permissions broken for some unrelated reason).
The following blog post will work through the details: https://specopssoft.com/blog/troubleshooting-user-account-permissions-adminsdholder/
In summary you want to confirm which adminSDHolder groups the user is a member of, and whether the user should be a member of those groups. If the user is not a member of any groups, re-enable security permissions inheritance on the account and test again before proceeding with the next section here.
Granting Password Reset to AdminSDHolder
We need to use dsacls from a command prompt on a domain controller in order to update permissions on the AdminSDHolder object in Active Directory, swapping ‘DC=example, DC=com” and EXAMPLE\ with the relevant names for domain.
dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\Specops Authentication Gatekeepers:CA;Reset Password;" "EXAMPLE\Specops Authentication Gatekeepers:RPWP;pwdLastSet;" "EXAMPLE\Specops Authentication Gatekeepers:RPWP;lockoutTime;"
For example, for AD domain specopsdemo1.com:
dsacls "CN=AdminSDHolder, CN=System, DC=specopsdemo1, DC=com" /G "SPECOPSDEMO1\Specops Authentication Gatekeepers:CA;Reset Password;" "SPECOPSDEMO1\Specops Authentication Gatekeepers:RPWP;pwdLastSet;" "SPECOPSDEMO1\Specops Authentication Gatekeepers:RPWP;lockoutTime;"
One the change is made, it will need to propagate out to all your admin accounts via an AD process called SDPROP. SDPROP will run automatically every 60 minutes (by default); to force it to run immediately see here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c–protected-accounts-and-groups-in-active-directory