Recent Changes - Search:


Allow Password Reset For AD Administrators

Allow Password Reset For AD Administrators

Tags: Repositories Self Service SSPR

Problem Definition

Administrators and other highly privileged user accounts in Active Directory receive an error when resetting a forgotten password through PortalGuard. Other normal user accounts do not experience this problem. The error typically looks like the screenshot below:


The account cannot be modified because a built-in Active Directory background process called SDPROP purposely disables ACL inheritance on highly privileged accounts in AD. Please see these links for more background information:

During initial PortalGuard setup/configuration, the 'Delegate Rights' wizard is run to give the PortalGuard service account the permissions needed to reset passwords and unlock user accounts. If this targets the root domain, it will automatically grant these permissions to all child objects that inherit their ACLs. Because the highly privileged accounts have ACL inheritance disabled automatically by the SDPROP process, the 'Delegate Rights' wizard action does not apply to them.


To allow administrators to reset their passwords through PortalGuard, you will need to explicitly grant the user PortalGuard service account the required permissions. Please follow the steps below to so:

  • Open the Active Directory Users and Computer snap-in
  • Ensure Advanced Features have been enabled in this snap-in - it makes the 'Security' tab visible so ACLs can be edited. To do this, check the 'Advanced Features' item under the 'View' menu:
  • Find the administrative user account, right-click it and choose Properties from the pop-up menu
  • Choose the Security tab -> Advanced button
  • Click the Add button
  • In the 'Permission Entry' dialog, click the 'Select a principal' link and specify your PortalGuard service account
  • In the interest of 'least privilege', scroll down to the very bottom of this dialog and click the 'Clear all' button to remove all permissions
  • Now click/enable the following individual permissions:
    • Change password (under 'Permissions')
    • Reset password (under 'Permissions')
    • Read lockoutTime (under 'Properties')
    • Write lockoutTime (under 'Properties')
  • Click 'OK' on the 'Permission Entry' dialog to save these changes, then click 'OK' on the 'Advanced Security Settings' dialog and finally click 'OK' on the user account 'Properties' dialog.

Retry the administrative password reset through PortalGuard to ensure the changes worked. Because these accounts have independent ACLs, the same steps must be performed for each administrative account.

If these steps do not resolve the issue, please ensure the 'Trace' Log Level was set in the bootstrap in PG_Config, reproduce the problem and send the current day's PG_Log...txt file to us at

Page last modified on April 15, 2016, at 10:56 AM