You can check the effective permissions in Active Directory to determine the privileges that one account has on another account.
Web Active Directory products typically use a service account to connect to Active Directory and perform operations like searching for objects, updating data or resetting passwords. The service account needs certain permissions to operate properly and sometimes the inheritance hierarchy for an object is affected by the AD container in which it resides or even the account itself. Checking the effective permissions for an account allows you to verify whether the correct privileges are applied for the service account.
To check effective permissions:
- Open Active Directory Users and Computers and connect to the appropriate domain.
- Ensure the view you are using shows advanced features by checking the View > Advanced Features option. This is necessary to see the Security tab so you can check effective permissions.
- Find the user account that you are testing in PeoplePassword.
- Open the Properties dialog box for the test account and switch to the Security tab.
- Click Advanced to view advanced and special permissions.
- At this point, you can verify if the account is inheriting permissions from its parent container. If not, this is why the rights delegation to the LDAP service account that performs the password reset operation does not work.
- To verify the effective permissions of the service account, switch to the Effective Permissions tab.
- Use the Select button in the Group or user name to locate the service account.
- Once you select the service account, you will see a list of effective permissions with boxes checked for permissions that the service account has over the test account. You should verify if the correct permissions are allowed for the service account. If not, then you will need to modify either the inheritance or ACL for the test account.
You can also use the Acldiag Windows Server support tool to check effective permissions and you can find more information about this option at http://technet.microsoft.com/en-us/li….
- Acldiag Overview: http://technet.microsoft.com/en-us/li…