This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 55.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello,
after installing the latest cumulative(KB5016616) and security(KB5012170) updates for August for win10 ver. 20H2 1094.1889, our HelpDesk is having problems with RSAT.
While traying to reset password they obtain following error "Windows cannot complete the password change for user because: Access is denied".
They have delegated rights for specific OU with security group to reset password, and they are not members of any admin builtin groups because we don't want them to have administrator rights.
After uninstalling of the latest patches the error is gone and they again can reset password.
Has anyone run into the same problem?
Also did anyone found maybe any workaround or fix for this issue?
Also our DC is on 2012 R2 and worksations are on Win 10 20H2.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 80%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC1%3C/text%3E%3C/svg%3E)
Did you ever get this resolved?
I have been searching high and low for an answer and coming up empty.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 36%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Hi guys
Having the same issue but it is on windows server 2019 RSAT feature.
Would it be a similar August update to affect this issue?
This has just come out of nowhere also and affected our service desk.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 15%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
I have Windows Server 2022 and Win11 - same issue here...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 66%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQS%3C/text%3E%3C/svg%3E)
I've encountered the same issue on Win11, but if I log onto one of our virtuals, I have no issues, no matter the OS version.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 61%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
An important question for all experiencing this issue:
How many of you have the following GPO setting for your domain controllers defined: Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\Security Options--> Network Access: Restrict Clients Allowed to Make Remote Calls to SAM Enabled, Security Descriptor = O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;
Though some of you may have compliance/regulatory concerns by changing this, if you add the AD group that needs the Reset Passwords permission, those users should be able to reset passwords again. If some of you are unable/unwilling to do this, I've found that resetting passwords via the Active Directory Administrative Center is a viable workaround.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 14.000000000000002%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I’m going to check this GPO tomorrow, I’d imagine as you suspect, this may be the culprit. Not sure though why this recently started giving us issues though.
Also worth noticing that Powershell (set-adaccountpassword) works perfectly fine as well.
What’s odd is it only seems to throw this access denied error on ADUC with windows 10. Going from another member server, or domain controller works perfectly fine. Of course, doesn’t really help with the help desk not being able to do password resets.
I do have this policy set in my environment for my Member Server 2016 and higher.
Now the funny part is it is set to "Administrators", which my group trying to change the password is part of the local administrators. I tried adding additional groups to the list to see if this fixed the issue but it did not. Was there something more you recommend or just unsetting the setting?
This is the closest thing I have seen to a potential fix for this issue and feeling frustrated for sure.
Strike my last comment. This 100% was my issue.
So while the policy was not applied via GPO, someone actually applied it via the registry.
Now what is still hilarious is that my Account Operators default group is still broken, and due to the type of group, you can't add it to the list...
THANK YOU for the information. I think I can actually move on from this issue for a bit now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES2%3C/text%3E%3C/svg%3E)
Thank you, this worked for me as well. I added the Security Groups I use for account management to this GPO and all is well again!
Same issue here. Tried removing the updates to no avail. I have a couple users trying this on Windows 11 as well. The only way I can get RSAT working is from accounts that have actual administrative rights on the domain. Let me know if anyone finds any workarounds.
I gave my self full delegated control on "test" OU and I can for example create new user but password cant be set, after that AD automatically disable that user. Also I was not able to reset password with delegated control in any OU, neither "test" OU with full delegated control..
Once I removed latest KB, all worked normal again..
So something is wrong with the latest KB that Microsoft pushed.
At the end I created new group in WSUS and I forced that group to remove latest KB and for now HelpDesk can reset passwords again..
Regedit WSUS from 1 -> 0 wont work since you already have updates on your workstation. You want to get latest security updates from Microsoft.