RSAT - Access denied - After August KB5016616 & kb5012170 updates

Blast 16

Hello,

after installing the latest cumulative(KB5016616) and security(KB5012170) updates for August for win10 ver. 20H2 1094.1889, our HelpDesk is having problems with RSAT.
While traying to reset password they obtain following error "Windows cannot complete the password change for user because: Access is denied".

They have delegated rights for specific OU with security group to reset password, and they are not members of any admin builtin groups because we don't want them to have administrator rights.

After uninstalling of the latest patches the error is gone and they again can reset password.

Has anyone run into the same problem?

Also did anyone found maybe any workaround or fix for this issue?

Also our DC is on 2012 R2 and worksations are on Win 10 20H2.

chrismholmes-125 6 Reputation points

2022-10-26T08:21:52.293+00:00

Did you ever get this resolved?

I have been searching high and low for an answer and coming up empty.

8 answers

Scuzzy5150 1 Reputation point

2022-10-19T13:44:02.107+00:00

An important question for all experiencing this issue:

How many of you have the following GPO setting for your domain controllers defined: Computer Configuration\Policies\Windows Settings\Security Settings\Local Settings\Security Options--> Network Access: Restrict Clients Allowed to Make Remote Calls to SAM Enabled, Security Descriptor = O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;

Though some of you may have compliance/regulatory concerns by changing this, if you add the AD group that needs the Reset Passwords permission, those users should be able to reset passwords again. If some of you are unable/unwilling to do this, I've found that resetting passwords via the Active Directory Administrative Center is a viable workaround.
Please sign in to rate this answer.
Jason Supple 1 Reputation point

2022-10-24T21:40:23.497+00:00

I’m going to check this GPO tomorrow, I’d imagine as you suspect, this may be the culprit. Not sure though why this recently started giving us issues though.

Also worth noticing that Powershell (set-adaccountpassword) works perfectly fine as well.

What’s odd is it only seems to throw this access denied error on ADUC with windows 10. Going from another member server, or domain controller works perfectly fine. Of course, doesn’t really help with the help desk not being able to do password resets.

chrismholmes-125 6 Reputation points

2022-10-26T08:25:34.053+00:00

I do have this policy set in my environment for my Member Server 2016 and higher.

Now the funny part is it is set to "Administrators", which my group trying to change the password is part of the local administrators. I tried adding additional groups to the list to see if this fixed the issue but it did not. Was there something more you recommend or just unsetting the setting?

This is the closest thing I have seen to a potential fix for this issue and feeling frustrated for sure.

chrismholmes-125 6 Reputation points

2022-10-26T08:51:32.367+00:00

Strike my last comment. This 100% was my issue.

So while the policy was not applied via GPO, someone actually applied it via the registry.

Now what is still hilarious is that my Account Operators default group is still broken, and due to the type of group, you can't add it to the list...

THANK YOU for the information. I think I can actually move on from this issue for a bit now.

ShawnP-2756 1 Reputation point

2022-10-26T14:17:09.68+00:00

Thank you, this worked for me as well. I added the Security Groups I use for account management to this GPO and all is well again!
Sign in to comment
q sligh 21 Reputation points

2022-11-08T19:03:19.337+00:00

I've encountered the same issue on Win11, but if I log onto one of our virtuals, I have no issues, no matter the OS version.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Nick Karamath 1 Reputation point

2022-11-25T10:55:58.797+00:00

Hi guys

Having the same issue but it is on windows server 2019 RSAT feature.

Would it be a similar August update to affect this issue?

This has just come out of nowhere also and affected our service desk.
Please sign in to rate this answer.
Dion Whitehouse 0 Reputation points

2023-02-22T22:41:58.0066667+00:00

I have Windows Server 2022 and Win11 - same issue here...
Sign in to comment