Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Granting Access to Password Reset Leaf Objects

Password Reset stores each user’s enrollment data in a leaf object underneath the user’s account (specops-spp-pwdReset)

By design, access to these leaf objects is restricted as follows:

  • SYSTEM – Full Control
  • Domain Admins – Full Control
  • Password Reset Service Account – Full Control
  • End user – Read access

If you have changed Password Reset service accounts, you will need to grant the new service account full control over all existing leaf objects. We can do this using a CLI utility SPOBJMGR.EXE provided by Specops.

From an admin command prompt on the server where the Password Reset Admin Tools are installed, swapping the OU path and service account name:

cd "C:\Program Files\Specopssoft\Specops Password Reset\Administrative Tools\'"
.\SpObjMgr.exe PasswordReset <BASE_DN> GRANT_FC <AccountName>

For example:

soft\Specops Password Reset\Administrative Tools\'"
.\SpObjMgr.exe PasswordReset "OU=Users,DC=demo,DC=local" GRANT_FC DEMO\passwordresetservice

Publication date: March 23, 2022
Modification date: March 23, 2022

Was this article helpful?

Related Articles