Delegate Access to Manage Specops Password Policy

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Delegate Access to Manage Specops Password Policy

By default Password Policy configuration is allowed only by domain admin and other high-privilege AD user accounts. This article details the steps required to delegate management of Specops Password Policy to non-admin users.

Active Directory System Settings Containers

Global settings for Specops Password Policy are stored in a Specops container beneath the System container in Active Directory. There are two sub-containers, one for Password Policy and one for Breached Password Protection:

CN=Password Policy,CN=Specops,CN=System,DC=contoso,DC=local
CN=Breached Password Protection,CN=Specops,CN=System,DC=contoso,DC=local

Grant full access to both of these containers (read/write all attributes and create/delete child containers).

Additional global settings and the Breached Password Protection Express List are stored in a SpecopsPassword folder folder under the Policies folder in SYSVOL:

\\contoso.local\SYSVOL\contoso.local\policies\SpecopsPassword

Grant full control of this folder.

Group Policy

Password Policy settings are in user-based group policies. Either grant the user full control to create/link Group Policy objects in Active Directory, or for more granular control, have a domain admin create/link/scope GPOs as needed then grant modify access to each GPO so the Password Policy admin can edit them.

July 14, 2021

Was this article helpful?

Yes No

Delegate Access to Manage Specops Password Policy

Active Directory System Settings Containers

SYSVOL Share

Group Policy

Related Articles