We help IT Professionals succeed at work.

Need users to be able to unlock and change passwords in 2003 AD

jimbecher asked
  I have a 2003 AD at a customers but am not there that often. I need to create a Security Group in the AD and give members of this group the ability to unlock other user's accounts and reset their passwords. Those are the only two things I want them to be able to do.

   These specfic users are running XP Professional workstations and I have installed the 2003 Administrative Tools to their computers for they have access to the AD. I tried this long, long ago and had to give them Administrator rights to the Domain. I want to try again to give them just the unlock and reset password rights.

Watch Question

To unlock user
http://support.microsoft.com/kb/279723/en-us --> This article may be for win2000, but it still is relevant for new versions of windows.

http://community.spiceworks.com/how_to/show/1464 --> This will help to grant users permission to change password.


  I am going to start one at a time. The Delegation of Permissions seems like a simple way to do it but... it doesn't seem to work. I right clicled on the domain (wcc.local) and deligated the reset password permissions to the security group "ITAdminHelpers". I then got on on of the XP workstations as one of the users in the "ITAdminHelpers" group and tried changing my password. I got "Access Denied". I guess one question I have about the delegation process is "where can I see what I delegeated"? Maybe it didn't take?????