Giving users permissions to reset passwords and enable accounts

Posted on 2010-01-07
Last Modified: 2012-05-08
I am in the process of setting up a taskpad to allow a few people at our office to reset user passwords and enable user accounts that are disabled (locked). I went through the delegate control wizard on the OU with the accounts and gave the permission to reset passords to the people who need them. I then went through a document that explained how to create a taskpad and did that. I installed the AD parts of the admin pack (server 2003) on the computers that the "password resetters" are using. This seems to work - the PCs are XP Pro SP2 and its a Windows 2008 SBS environment they need to manage. I have 2 issues though.

1) If a user launches any of the AD tools (instead of the taskpad I created), they are blocked from doing almost everything (that I tested anyway). For instance, the cannot force a replication between DCs or raise the functional leves of the domain or forest. However, they CAN create computers and users even though I specifically DID NOT grant that permission in the delegation wizard on that OU.

2) They CANNOT enable a disabled user account.

I went back through the delgation of control wizard again, and didn;t see anything intuitive to answer #2, and I assume that I can just remove the people from the security tab and start over to delete any existing permissions to the OU to fix #1, but I still want to make sure these people ONLY have the perrmissions to reset passwords and enable disabled accounts
Question by:djerryanderson
    LVL 35

    Accepted Solution

    They need to be a member of the Account Operators security group, I believe
    LVL 27

    Expert Comment

    by:Jason Watkins
    I agree with CrisHanna_MVP
    LVL 38

    Expert Comment

    by:Hypercat (Deb)
    On the AD Users and Computers/Users container (or other OU that you want to give them permission to, edit the permissions on the container and give the user(s) or group the following permission, applied to the "Descendant User Objects" ONLY:
    Read lockout time
    Write lockout time
    Reset password
    Change password
    NOTE: You have to click on the Properties tab when you edit the Advanced security settings for the user or group in order to see/change the settings for Read/Write lockout time.  
    This will definitely allow them to unlock a locked account.  If you actually want them to be able to enable a user account that has been permanently disabled, post back and I'll find out which attribute is required to do that.
    LVL 1

    Author Comment

    Thanks Cris - worked fine. hyper, I may have done something worng there, but that still wouldn;t let me unlock disabled accounts???
    LVL 38

    Expert Comment

    by:Hypercat (Deb)
    It will allow the user to unlock LOCKED accounts (i.e., when the user has typed the wrong user ID or password too many times and the account gets locked).  I don't believe it will allow the user to enable an AD account that has actually been set to "Disabled" status, but I've never tested this out.
    The reason that I don't recommend adding these users to the Account Operators group is that this gives them more than just permission to change passwords and unlock locked accounts.  If that's really what you want to limit them to do, then you don't want them to be members of the Account Operators group.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now