• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 938
  • Last Modified:

grant "Change User Password" permission only

I have a guy who I want to grant ONLY the ability to change user passwords in AD.
i.e. he can login to the AD server, open Active Directory Users and Computers, and change a user's password.  But I don't want him to have any other ability to do anything else in AD.

The point here is that he's my helpdesk guy, and ocassionally users need their passwords to be reset.  I want him to be able to do that, but nothing else.

How do I do this??

1 Solution
B HCommented:
hmm.  problem is, he'd be able to change the administrator password too...  i cant think of a way to let him change only 'user' account passwords
On the OU where the user should get the permission, rightclick the OU and choose "Delegate control" wizard.

Other option could be this however they will have more then jsut change passwords.
There is a builtin group called account operators. This will make it so he can administer domain user and group accounts.
I don't understand why you posted your comment bryon. It did not offer any information to the author about how to fix his problem.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Premkumar YogeswaranAnalyst II - System AdministratorCommented:
This should be fairly easy. You should delegate "Reset password" task which is available in Delegation of control wizard.
Right click OU with user accounts and select Delegate Control...
Click next, add group of users (ALWAYS GROUP - do not delegate to users) which will be able to reset passwords and click next.
Selecet check box in front of "Reset user password and force password change at next logon", click next, next, finish

luchianoduckmanAuthor Commented:
This is good.
At some point in the future can I remove this ability?  If I go back and right-click on the OU and again click on "Delegate Control" it doesn't show the group that I formerly added.

Is there somewhere I can look to verify that this setting has been added, and remove it if necessary?
Thanks again.
Start the Active Directory Users and Computers snap-in.
On the View menu, click Advanced. This enables the Security tab.
Right-click the container from which the permissions will be removed, and then click Properties.
Click the Security tab.
Remove the appropriate users or groups.
luchianoduckmanAuthor Commented:
I love it.
Thanks guys.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now