Delegated password reset permission for your helpdesk

Nov 25, 2016 (Last updated on July 3, 2020)

This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all along.

1. Open Active Directory Users and Computers.
2. Right-click on the user or group you want to delegate, and click Delegate Control…
3. Click Next on the Welcome Wizard.
4. Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
5. Click OK once you’ve made your selection, followed by Next.
6. Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
7. Click Next, and Finish.
8. Right-click on the newly modified user or group, and select Properties.
9. Select the Security tab, and click Advanced.
10. Click Add.
11. Click Select a principal and enter the user name or group name that has been granted reset permission.
12. Click OK.
13. In the Applies to field, select Descendant User object.
14. Scroll down and enable, Read lockoutTime, and Write lockoutTime.
15. Click OK three times.

As always, Specops Password Reset, and uReset customers can benefit from the native integration with Active Directory, using their pre-existing settings with the solution. The delegated security model is not only useful for tightening access (particularly helpful in a time where violation of privileged access has resulted in data breaches), but also in larger environments where certain users can only administer a subset of users. In a school setting, for example, where the instructor can only reset the passwords of the students in their class.

Tags: Active Directory, delegated helpdesk security, password reset

Written by

Johan Soderstrom

Product Specialist, Specops Software

More Articles