Post

Reconcile Account

Posted Updated
By cybrad
1 min read

Script set permissions for Reconcile Group

Instructions below are based on this kb article.

To give the Reconcile Group the minimum permissions to change user passwords.

From Active Directory (You must have the Advanced Features view enabled) to proceed Right click on the domain > Properties

Goto the Security Tab

Click Advanced

Select Add

Click “Select a principal” at the top and search fro the Reconcile Group

Applies to: Drop Down menu > Select “Descendant User objects” at the bottom.

Scroll to the very bottom and slect “Clear All” to clear all permissions

Scroll to the top and select the follwoing permissions.

1
2
3
4
5
6

Reset Password
Read permissions
Read account restrictions
Read general information
Read group membership
Read logon information

Once complete slect OK and OK again

Domain Admin accounts, along with a list of other groups, are protected. If you change the ACL on a member of the Domain Admins group, Active Directory will eventually change the ACL back based on a secure template. This template is AdminSDHolder and is always found in the System container.

In order to grant your reconcile account the ability to change the password for members of protected groups, you must add that permission to the AdminSDHolder template

The following script modifies the AdminSDHolder template.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# This script will set the minimum permissions for the reconcile account

# Set the AD account that will be used fo Reconcile
$ReconcileAccount = "<Domain>\<ReconcileUser>"

# This gets the AD domain in DN format
$DistinguishedName = (Get-ADDomain).DistinguishedName
Write-host "Domain OU is =" $DistinguishedName

# Domain Permissions
dsacls.exe $DistinguishedName /i:S /G $ReconcileAccount":CA;Reset Password;user"
dsacls.exe $DistinguishedName /i:S /G $ReconcileAccount":WD"
dsacls.exe $DistinguishedName /i:S /G $ReconcileAccount":WPRP;LockoutTime;user"
dsacls.exe $DistinguishedName /i:S /G $ReconcileAccount":WPRP;account restrictions;user"

# This gets the AdminSDHolder DN
$AdminSDHolerDN = "CN=AdminSDHolder,CN=System,"+$DistinguishedName
Write-host "AdminSDHolder DN is =" $AdminSDHolerDN

# AdminSDHolder Template
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":CA;Reset Password"
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":WD"
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":RP;LockoutTime"
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":WP;LockoutTime"
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":RP;account restrictions"
dsacls.exe $AdminSDHolerDN /G $ReconcileAccount":WP;account restrictions"
Privilege Cloud, CPM
cyberark reconcile
This post is licensed under CC BY 4.0 by the author.