Solved

Giving a user the right to change passwords

Posted on 2010-08-17
5
684 Views
Last Modified: 2012-08-24
I am the admin for a relativley large Windows 2003 network in a school district.  I have 3 Tech aides who are not very thechnical but I would like to give them the ability to change and reset passwords in thier own buildings.  I would like for them to have a custom console so that they can browse AD and change passwords. What is the best way to do this whithout giving them too much access?
0
Comment
Question by:jp_tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33453827
Create an OU for that user and delegate permissions for him
0
 
LVL 8

Accepted Solution

by:
SGrossmann earned 250 total points
ID: 33453830
See this article.Delegating permissions within active directory.http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33453835
Sorry, on OU where he should be able to chabge passwords, delegate him permissions :)
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 250 total points
ID: 33453877
Right-click the OU in which the user objects are (NOT any domain admins!) and use the delegation of control wizard to allow a group(!) "PasswordReset" or whatever to change the password.
Allow the same group to change the "User must change password" attribute (on W2k3, you do NOT have to edit dssec.dat!), it's not included by default and usually *very* necessary:
Minimum permissions are needed for a delegated administrator to force password change at next logon procedure
http://support.microsoft.com/kb/296999

Create the taskpad (note that the ADUC MMC from adminpak.msi has to be installed on any admin clients, the MMC alone is not enough):
Create Taskpads for Active Directory Operations
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 

Author Closing Comment

by:jp_tech
ID: 33468326
Sgrossman prided a good link that provided instructions for giving the proper delegation and obda provided the information for creating the custom MMC. Thanks guys.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question