Delegated password reset permission for your helpdesk

This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all along.

  1. Open Active Directory Users and Computers.
  2. Right-click on the user or group you want to delegate, and click Delegate Control…
  3. Click Next on the Welcome Wizard.
  4. Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
  5. Click OK once you’ve made your selection, followed by Next.
  6. Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
  7. Click Next, and Finish.
  8. Right-click on the newly modified user or group, and select Properties.
  9. Select the Security tab, and click Advanced.
  10. Click Add.
  11. Click Select a principal and enter the user name or group name that has been granted reset permission.
  12. Click OK.
  13. In the Applies to field, select Descendant User object.
  14. Scroll down and enable, Read lockoutTime, and Write lockoutTime.
  15. Click OK three times.

As always, Specops Password Reset, and uReset customers can benefit from the native integration with Active Directory, using their pre-existing settings with the solution. The delegated security model is not only useful for tightening access (particularly helpful in a time where violation of privileged access has resulted in data breaches), but also in larger environments where certain users can only administer a subset of users. In a school setting, for example, where the instructor can only reset the passwords of the students in their class.

(Last updated on July 3, 2020)

Tags: , ,

johan soderstom

Written by

Johan Soderstrom

Author at Specops Software

Back to Blog

Related Articles

  • Disallow special characters in Specops Password Policy

    In this post, we will demonstrate how to disallow the use of special characters in passwords, in this case Swedish character, by using the “regular expression” setting in Specops Password Policy. Before getting started, ensure that you have installed the Specops Password Policy Administration Tool. Open the group policy management console, and browse to the…

    Read More
  • Password security best practices – Infographic

    Updated: October 3, 2016 – With data breaches and security flaws a regular occurrence in our digital lives, we have taken a natural interest in protecting our personal and financial information. A secure password, is the first line of defense. To help our customers make better password choices, we recently published the below infographic, which…

    Read More