Reset Password Delegation

Posted on 2005-04-27
Last Modified: 2012-05-05
We would like an individual from each one of our departments to have the right to reset passwords for members of their respective departments during off hours.  We have an OU for each department and we're going to use the delegation wizard at the OU level to reset passwords.  My question is, do these users need access to Active Directory Users and Computers to reset these passwords? I would imagine so...

If so, I was thinking I could set up a GPO which will push out the Windows 2000 Support Tools on the desktop of the assigned people?  From there, they could launch ADUC's?  

Does this make sense?  Is there a better way?

Question by:msadexchman
    LVL 25

    Expert Comment

    yes the would need the admin tools in order to do this.  you posted this question in the windows 2003 server area, but then you say you want to push the 2000 support tools to the users.  what kind of domain do you have 2000 or 2003?  what OS do your clients have?  After knowing that we can tell you what your clients will need to install in order to manage their OU.

    Author Comment


    AD = 2003

    OS = XP and 2000 Professional

    LVL 25

    Expert Comment

    on xp clients just install the adminpak.exe that is on the server 2003 CD. If you don't have the server CD you can download it from the internet.
    on 2000 clients im pretty sure you can install the same version ( you might get an error but just ignore it)

    2003 version:;EN-US;q314978

    LVL 51

    Accepted Solution

    Use this as a guid eto setup Delegation of the Reset Password permission to a security group that contains the members you chose.

    Scroll down to "Delegating Resetting of Passwords for All Users"

    Then, use this one to make sure that they can enforce a password change at next logon.;en-us;296999

    Of course, you must have the Adminpak (as mentioned above) installed on the user(s) PCs that will be doing this.  

    Make absolutely certain that your real Admin accounts are in the Domain level and that you delegate to a sub-OU or your *trusted* employees will be able to change those passwords and have their way.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    Title # Comments Views Activity
    Connect to OSX Lion Server share from server 2003 4 30
    SSIS package failing 3 64
    change home folder path 4 27
    Dentrix G4 1 12
    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    This video discusses moving either the default database or any database to a new volume.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now