Delegated password reset permission for your helpdesk
(Last updated on August 2, 2018)
This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all along.
- Open Active Directory Users and Computers.
- Right-click on the user or group you want to delegate, and click Delegate Control…
- Click Next on the Welcome Wizard.
- Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
- Click OK once you’ve made your selection, followed by Next.
- Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
- Click Next, and Finish.
- Right-click on the newly modified user or group, and select Properties.
- Select the Security tab, and click Advanced.
- Click Add.
- Click Select a principal and enter the user name or group name that has been granted reset permission.
- Click OK.
- In the Applies to field, select Descendant User object.
- Scroll down and enable, Read lockoutTime, and Write lockoutTime.
- Click OK three times.
As always, Specops Password Reset, and uReset customers can benefit from the native integration with Active Directory, using their pre-existing settings with the solution. The delegated security model is not only useful for tightening access (particularly helpful in a time where violation of privileged access has resulted in data breaches), but also in larger environments where certain users can only administer a subset of users. In a school setting, for example, where the instructor can only reset the passwords of the students in their class.
In this post, we will demonstrate how to disallow the use of special characters in passwords, in this case Swedish character, by using the “regular expression” setting in Specops Password Policy. Before getting started, ensure that you have installed the Specops Password Policy Administration Tool. Open the group policy management console, and browse to the…Read More
Updated: October 3, 2016 – With data breaches and security flaws a regular occurrence in our digital lives, we have taken a natural interest in protecting our personal and financial information. A secure password, is the first line of defense. To help our customers make better password choices, we recently published the below infographic, which…Read More
The helpdesk staff is an important factor in the success of your self-service password reset rollout project. The helpdesk staff needs to know what is going to change, why the organization is making the change, and what they need to do differently. Don’t fall into the trap of allowing the helpdesk staff to continue unlocking…Read More