Delegate Access to Manage Specops Password Policy
By default Password Policy configuration is allowed only by domain admin and other high-privilege AD user accounts. This article details the steps required to delegate management of Specops Password Policy to non-admin users.
Active Directory System Settings Containers
Global settings for Specops Password Policy are stored in a Specops container beneath the System container in Active Directory. There are two sub-containers, one for Password Policy and one for Breached Password Protection:
CN=Password Policy,CN=Specops,CN=System,DC=contoso,DC=local
CN=Breached Password Protection,CN=Specops,CN=System,DC=contoso,DC=local
Grant full access to both of these containers (read/write all attributes and create/delete child containers).
SYSVOL Share
Additional global settings and the Breached Password Protection Express List are stored in a SpecopsPassword folder folder under the Policies folder in SYSVOL:
\\contoso.local\SYSVOL\contoso.local\policies\SpecopsPassword
Grant full control of this folder.
Group Policy
Password Policy settings are in user-based group policies. Either grant the user full control to create/link Group Policy objects in Active Directory, or for more granular control, have a domain admin create/link/scope GPOs as needed then grant modify access to each GPO so the Password Policy admin can edit them.