Resolution
Directory and Resource Administrator 6.60
symptom
Error: 'The AssistantAdmin does not have enough powers to run the 'UserSetPassword' operation.'
symptom
A permission error is returned when an Assistant Admin attempts to reset a users account password.
symptom
Assistant Admins are unable to perform tasks such as modifying group memberships, updating user account properties etc.
symptom
Assistant Admins who are members of the 'Administrators' group, in one of the managed domains, are unable to perform tasks such as modify group membership, update user account properties and reset user account passwords over objects in the other managed domains, even though they have been delegated the powers to perform the operation in Directory and Resource Administrator.
cause
The above described problem occurs if Directory and Resource Administrator (DRA) is configured to manage more than one domain and if the Assistant Admin is an Administrator in one of the managed domains and has been delegated certain powers over objects in the other managed domain.
If the user account is an Administrator in any one of the managed domains, he/she is associated with the Built-in Domain Admins Assistant Admins group. This group allows the Assistant Admins to perform the functions that he/she can perform over objects in the domain, using DRA, that he/she can perform using 'Active Directory Users & Computers' or 'User Manager for Domains' by being a member of the Administrators group in the domain. Since the Assistant Admin is an administrator in one of the managed domains, DRA enables certain fields in the Property page when an Assistant Admin attempts to reset a user account's password or modify user account property of an account that is in another managed domain in which is he not an administrator. When the Assistant Admins attempts to modify or set certain properties over which he\she has not been delegated powers over the operation is rejected by the DRA server during authorization and the error message is returned.
fix
This problem has been corrected in the latest version of Directory and Resource Administrator. The DRA 7.x User Interfaces will enable and allow an Assistant Admin to modify only those fields which he\she has been delegated powers over, even if the user is an Administrator in one of the managed domains. Other fields for a user account that the Assistant Admin has not been delegated powers over will not be enabled, thus the Assistant Admin will be unable to update those fields.
The following workaround is available if you are running Directory and Resource Administrator 6.60:
- Remove the Assistant Admins from the 'Administrators' and\or 'Domain Admins' group. Create a new ActiveView and explicitly delegate the necessary powers to them in DRA so that they are able to perform their functions.
- Delete the Built-in Domain Admins Assistant Admin Group.
In order to delete the Built-in Domain Admins Assistant Admin group, please perform the following steps on the primary DRA server:
- Launch RegEdit.
- Select the Built-in Domain Admins key under Hkey_Local_Machine|Software|Mission Critical Software|Data|Modules|Security|Deputy .
- Select Delete from the Edit menu.
- Click Yes in the Confirm Key Delete dialog.
- Restart the MCS OnePoint Administration Server service.