Restricted AD user management from a PC for a specific OU

In a school situation - we have just upgraded our AD Servers to Server 2003 Enterprise R2 from Server 2003 Std.

I have been told with R2 it is possible to allocate the ability to certain users to change passwords of others for a specific OU.
In this case we want 2 staff members who we DON'T want to be Domain Admins to be able to change only student passwords. All students are in their own security & distribution group and in their own OU.

So far I haven't found any info on how to do it yet..
Who is Participating?
Brian PiercePhotographerCommented:
You have always been able to do this - R2 is not specifically needed.

Step 1. Right click on the OU and Use the deleagtion o control Wizard to delegate authority to chage passwords to a user/group.

Step 2. Install the admin tools on the users machine (can be XP or 2003) - The adminpak.msi installer in in %windir$\System32 on the server. (or download from

Step 3. To make life easier - create a taskpad for the user that shows only the tasks they can perform an provides a easy-to-use interface. see

Note: The admin tools need to be installed to run the taskpad but you can hide the tools to avoid confusing users
Also: Even if users can see the tools they can use them if you have not delegated tasks to them)

kiwistagAuthor Commented:
Thanks - next step: is there a way for the staff to do it from their PC (via a sanp in or equivalent) rather than being allowed to log into the server?
You would just install the windows 2003 sp1 admin tools on there machines.
kiwistagAuthor Commented:
Another snag - it seems if I follow the Petri instructions that it will allow mw to modify the sub contents of the New Taskpad view but not the primary contents.
For current managements sake (for example) we have a Sub-OU called 2007. The users running the MMC console can reset the passwords users within the subcontainers but not within the primary OU container.

So - clicking on domain\Pupils\Username and choosing reset password doesn't work however clicking on \domain\Pupils\2007\Username does.

HOWEVER running change password on a user from the Active Directory Users and Computers SnapIn does with the same Delegated Control user....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.