Hello,
Any tips/links/ideas for troubleshooting this scenario?
We have a helpdesk person that is not a domain administrator, but is a part of the domain\administrators group. He cannot use AD Users and Computers console to change his administrator password. He does run it with "run as" as his admin account. When he tries, it gives the error "Windows cannot complete the the password change for "Bill Gates" :) because: Access denied". In the event viewer of that DC, I see event ID 4724 (source = Microsoft Windows security) which really does not provide any helpful information. He can change other peoples passwords without issue.
We have an ADFS web page that does allow him to change his password using that method.
I have found this page:
https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/
And am not sure it this is whats going on. I guess it is possible that someone temporarily gave him domain admin rights and removed it. In ADSI I can see the attribute "AdminCount" = 1 for his account. But wouldn't that prevent him from changing the password using any method (IE: the ADFS web password portal would not work for him).
Does anyone know how to find out more detail about why a password change action is denied?