Resolution
How do I configure the $SpecialGroupsPolicy so that Assistant Admins are able to only Reset passwords for other Special Groups members?
fact
Directory and Resource Administrator 6.6
fact
Directory and Resource Administrator 7.x
fix
In order to allow Assistant Admins to be able to reset the password of a user who is a member of a built-in special group the $SpecialGroupsPolicy must be disabled. Disabling the $SpecialGroupsPolicy allows the Assistant Admin to reset the password of the user who is a member of the Special Group and modify other properties where they have been delegated the powers.
Note: If the Assistant Admin has the ability to modify group memberships, it is recommended that an exclusion rule be created so that an Assistant Admin is not able to modify the group membership of these groups. Otherwise an escalation of powers could occur. The rule should include all the special groups and is intended to limit group membership powers only.
Follow these steps to disable the $SpecialGroupsPolicy:
In DRA 6.6:
- Launch the DRA MMC
- Expand Policy and Automation Management
- Select Policy
- From the window on the right, select $SpecialGroupsPolicy
- From the menu options above, select Disable
In DRA 7.x:
- Launch the Delegation and Configuration Console
- Expand Policy and Automation Management
- Select Policy
- From the window on the right, right-click $SpecialGroupsPolicy and select Disable
In addition to the above workaround the following UNSUPPORTED workaround can also be implemented:
On the Directory and Resource Administrator Server delete the $OpRule<UserSetPassword> key under HKEY_Local_Machine|Software|Mission Critical Software|OnePoint|Administration|Data|Modules|Policy|Scope|$PolicyScope<$SpecialGroupsPolicy>|Rules.
Once the above key is deleted the $SpecialGroupsPolicy will not be enforced when an Assistant Admin attempts to reset the password of a user account who is a member of any special group but will be enforced for every other operation.
note
For further information about Special Groups and this policy see NetIQKB308.