This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 55.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello,
after installing the latest cumulative(KB5016616) and security(KB5012170) updates for August for win10 ver. 20H2 1094.1889, our HelpDesk is having problems with RSAT.
While traying to reset password they obtain following error "Windows cannot complete the password change for user because: Access is denied".
They have delegated rights for specific OU with security group to reset password, and they are not members of any admin builtin groups because we don't want them to have administrator rights.
After uninstalling of the latest patches the error is gone and they again can reset password.
Has anyone run into the same problem?
Also did anyone found maybe any workaround or fix for this issue?
Also our DC is on 2012 R2 and worksations are on Win 10 20H2.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 80%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC1%3C/text%3E%3C/svg%3E)
Did you ever get this resolved?
I have been searching high and low for an answer and coming up empty.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 73%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
Same issue here. No solution found.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 48%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
You need to Modify UseWUServer registry key ![![234122-image.png][1]][1] [1]: /api/attachments/234103-image.png?platform=QnA
I gave my self full delegated control on "test" OU and I can for example create new user but password cant be set, after that AD automatically disable that user. Also I was not able to reset password with delegated control in any OU, neither "test" OU with full delegated control..
Once I removed latest KB, all worked normal again..
So something is wrong with the latest KB that Microsoft pushed.
At the end I created new group in WSUS and I forced that group to remove latest KB and for now HelpDesk can reset passwords again..
Regedit WSUS from 1 -> 0 wont work since you already have updates on your workstation. You want to get latest security updates from Microsoft.
No luck on the regkey. I wonder what WindowsUpdate has to do with the AD permissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES2%3C/text%3E%3C/svg%3E)
Same issue here. Tried removing the updates to no avail. I have a couple users trying this on Windows 11 as well. The only way I can get RSAT working is from accounts that have actual administrative rights on the domain. Let me know if anyone finds any workarounds.