grant "Change User Password" permission only

I have a guy who I want to grant ONLY the ability to change user passwords in AD.
i.e. he can login to the AD server, open Active Directory Users and Computers, and change a user's password.  But I don't want him to have any other ability to do anything else in AD.

The point here is that he's my helpdesk guy, and ocassionally users need their passwords to be reset.  I want him to be able to do that, but nothing else.

How do I do this??

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
hmm.  problem is, he'd be able to change the administrator password too...  i cant think of a way to let him change only 'user' account passwords
On the OU where the user should get the permission, rightclick the OU and choose "Delegate control" wizard.

Other option could be this however they will have more then jsut change passwords.
There is a builtin group called account operators. This will make it so he can administer domain user and group accounts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I don't understand why you posted your comment bryon. It did not offer any information to the author about how to fix his problem.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Premkumar YogeswaranSr. Analyst - System AdministratorCommented:
This should be fairly easy. You should delegate "Reset password" task which is available in Delegation of control wizard.
Right click OU with user accounts and select Delegate Control...
Click next, add group of users (ALWAYS GROUP - do not delegate to users) which will be able to reset passwords and click next.
Selecet check box in front of "Reset user password and force password change at next logon", click next, next, finish

luchianoduckmanAuthor Commented:
This is good.
At some point in the future can I remove this ability?  If I go back and right-click on the OU and again click on "Delegate Control" it doesn't show the group that I formerly added.

Is there somewhere I can look to verify that this setting has been added, and remove it if necessary?
Thanks again.
Start the Active Directory Users and Computers snap-in.
On the View menu, click Advanced. This enables the Security tab.
Right-click the container from which the permissions will be removed, and then click Properties.
Click the Security tab.
Remove the appropriate users or groups.
luchianoduckmanAuthor Commented:
I love it.
Thanks guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.