Our dedicated Product Specialist team is always ready to help you when you need it the most.
Contact Support
Granting Access to Password Reset Leaf Objects
Password Reset stores each user’s enrollment data in a leaf object underneath the user’s account (specops-spp-pwdReset)
By design, access to these leaf objects is restricted as follows:
- SYSTEM – Full Control
- Domain Admins – Full Control
- Password Reset Service Account – Full Control
- End user – Read access
If you have changed Password Reset service accounts, you will need to grant the new service account full control over all existing leaf objects. We can do this using a CLI utility SPOBJMGR.EXE provided by Specops.
From an admin command prompt on the server where the Password Reset Admin Tools are installed, swapping the OU path and service account name:
cd "C:\Program Files\Specopssoft\Specops Password Reset\Administrative Tools\'"
.\SpObjMgr.exe PasswordReset <BASE_DN> GRANT_FC <AccountName>For example:
soft\Specops Password Reset\Administrative Tools\'"
.\SpObjMgr.exe PasswordReset "OU=Users,DC=demo,DC=local" GRANT_FC DEMO\passwordresetservice