Solved

How to set up junior administrator to only reset user passwords

Posted on 2014-11-25
4
1,294 Views
Last Modified: 2014-12-16
Hi

We have windows 2012 AD server and windows 7 workstation. We have two OUs, That is Staff OU and Student OU. I want to give my assistant only the privilege to reset the user password both staff and students.

Please can some on post me a step by step guide to set up this on his windows 7 PC.Is there any third party free software?

Any help much appreciated

Thanks
0
Comment
Question by:lianne143
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 167 total points
ID: 40465974
You need delegate permissions:

Task 1: Delegate unlock user account permission

1.     Create the group or user account that you want to have the right to change password and unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).

2.     Right-click the domain in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed.

3.     The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.

4.     On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.

5.     On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.

6.     On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.

7.     On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, Chick to select the Reset Password and then click Next.

8.     On the Completing the Delegation of Control Wizard dialog box, click Finish.


Task 2: Delegate unlock user account permission


1. In the console of "Active Directory Users and Computers" -> Right the desired OU or Container in the left pane -> Delegate Control…

2. In the Wizard of Delegate Control… -> Add the desired delegated user account or group of management -> Select "Create a custom task to delegate" -> Choose "Only the following objects in the folder" -> Choose the "User objects" and Check the box of "Create selected object in this folder" -> Next -> Check "Change Password" -> Finish the Wizard.

Details from:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/3f0dbf8e-636b-45fe-93db-f788d5b976fd/allow-help-desk-to-only-reset-user-passwords
0
 
LVL 24

Assisted Solution

by:NVIT
NVIT earned 167 total points
ID: 40466129
My apologies. I didn't know about blind links.
0
 
LVL 12

Assisted Solution

by:zalazar
zalazar earned 166 total points
ID: 40468078
Create a global securitygroup in AD e.g.: AD_ADMIN_ResetPasswords
Add the user account of the junior administrator to this group (member).

Start AD Users and Computers
View |Advanced Features
Right click on the OU where you want to give these permissions and select Properties
Click the Security tab
Click Advanced, click Add..., type AD_ADMIN_ResetPasswords, click Check Names and OK
On the object tab, select Apply to "Descendant User objects"
Allow the following 2 permissions:
Change password  and  Reset password
Click OK, OK, OK

I prefer to set the permissions manually as by using delegation you do not have full control on the assigned permissions.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question