Delegated password reset permission for your helpdesk
(Last updated on July 3, 2020)
This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all along.
- Open Active Directory Users and Computers.
- Right-click on the user or group you want to delegate, and click Delegate Control…
- Click Next on the Welcome Wizard.
- Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
- Click OK once you’ve made your selection, followed by Next.
- Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
- Click Next, and Finish.
- Right-click on the newly modified user or group, and select Properties.
- Select the Security tab, and click Advanced.
- Click Add.
- Click Select a principal and enter the user name or group name that has been granted reset permission.
- Click OK.
- In the Applies to field, select Descendant User object.
- Scroll down and enable, Read lockoutTime, and Write lockoutTime.
- Click OK three times.
As always, Specops Password Reset, and uReset customers can benefit from the native integration with Active Directory, using their pre-existing settings with the solution. The delegated security model is not only useful for tightening access (particularly helpful in a time where violation of privileged access has resulted in data breaches), but also in larger environments where certain users can only administer a subset of users. In a school setting, for example, where the instructor can only reset the passwords of the students in their class.