luchianoduckman
asked on
grant "Change User Password" permission only
I have a guy who I want to grant ONLY the ability to change user passwords in AD.
i.e. he can login to the AD server, open Active Directory Users and Computers, and change a user's password. But I don't want him to have any other ability to do anything else in AD.
The point here is that he's my helpdesk guy, and ocassionally users need their passwords to be reset. I want him to be able to do that, but nothing else.
How do I do this??
Thanks.
i.e. he can login to the AD server, open Active Directory Users and Computers, and change a user's password. But I don't want him to have any other ability to do anything else in AD.
The point here is that he's my helpdesk guy, and ocassionally users need their passwords to be reset. I want him to be able to do that, but nothing else.
How do I do this??
Thanks.
hmm. problem is, he'd be able to change the administrator password too... i cant think of a way to let him change only 'user' account passwords
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't understand why you posted your comment bryon. It did not offer any information to the author about how to fix his problem.
Hi
This should be fairly easy. You should delegate "Reset password" task which is available in Delegation of control wizard.
Right click OU with user accounts and select Delegate Control...
Click next, add group of users (ALWAYS GROUP - do not delegate to users) which will be able to reset passwords and click next.
Selecet check box in front of "Reset user password and force password change at next logon", click next, next, finish
Cheers,
Prem
This should be fairly easy. You should delegate "Reset password" task which is available in Delegation of control wizard.
Right click OU with user accounts and select Delegate Control...
Click next, add group of users (ALWAYS GROUP - do not delegate to users) which will be able to reset passwords and click next.
Selecet check box in front of "Reset user password and force password change at next logon", click next, next, finish
Cheers,
Prem
ASKER
This is good.
At some point in the future can I remove this ability? If I go back and right-click on the OU and again click on "Delegate Control" it doesn't show the group that I formerly added.
Is there somewhere I can look to verify that this setting has been added, and remove it if necessary?
Thanks again.
At some point in the future can I remove this ability? If I go back and right-click on the OU and again click on "Delegate Control" it doesn't show the group that I formerly added.
Is there somewhere I can look to verify that this setting has been added, and remove it if necessary?
Thanks again.
Start the Active Directory Users and Computers snap-in.
On the View menu, click Advanced. This enables the Security tab.
Right-click the container from which the permissions will be removed, and then click Properties.
Click the Security tab.
Remove the appropriate users or groups.
On the View menu, click Advanced. This enables the Security tab.
Right-click the container from which the permissions will be removed, and then click Properties.
Click the Security tab.
Remove the appropriate users or groups.
ASKER
Excellent.
I love it.
Thanks guys.
I love it.
Thanks guys.