Minimum permission to reset passwords

Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to to reset passwords of Active Directory users, All the users are in a OU called staff, I dont want him to reset passwords of users which are in other OU's Example ManagementUsers, ExecutiveUsers, VIPUsers  and no other dangerous access rights.

I use windows 2008 Domain Controller.

This is what I've done so far...
1 - created a user account for the technician.
2 - On the "Staff" OU in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "reset password"
4- finish

I have tested the above configuration and it is not working,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so he can reset passwords only on "Staff" OU and Absolutely no other permissions

Waiting for your support.
Thank you.
Who is Participating?
VB ITSConnect With a Mentor Specialist ConsultantCommented:
It's also worth checking the permissions on the user account you're trying to reset the password on to make sure that it does not have inheritance turned off.

- In Active Directory Users and Computers click on View in the top menu bar the click on Advanced Features
- Now browse to the Staff OU and right click on the problematic user account, then click Properties
- Click on the Security tab
- Click on the Advanced button
- Verify the Include inheritable permissions from this object's parent box is ticked

Few other things to check:
- If you have multiple Domain Controllers in your environment then verify that your changes have replicated. You can force the replication if necessary:
- Verify that the user account you are trying to reset the password for isn't a member of a protected group. Go back into the user account's Properties in ADUC then click on the Attribute Editor tab. Now look at the adminCount attribute and make sure this is set to either 0 or <not set>
- This may seem simple but did you log out of the Technician account then log back in after you delegated the reset password ability?
- Lastly double check that you have granted the correct access in the Delegate Control Wizard:
Manoj BojewarCommented:
This is enough to reset password for particular OU users. Please give some time to replicate the permission. i would say, now you check and let us know the result.
Miguel Angel Perez MuñozCommented:
Your way is 100% correct and no additional permissions are required to reset user password (usually give plus force change password on next logon). Could you do a RSOP for this delegated user?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

When you checked this login what extra permission do you have.

you just go by back tracking. remove that permissions.

Hope this will solve your problem.
zalazarConnect With a Mentor Commented:
I actually prefer to set these permissions manually as by using delegation you do not have full control on the assigned permissions. Below please find a procedure which assigns the minimum permissions needed to reset passwords for user accounts in the "Staff" OU.

Start AD Users and Computers
View |Advanced Features
Right click on the "Staff" OU where you want to give the reset password permissions and select Properties
Click the Security tab
Click Advanced, click Add..., type <technician user account>, click Check Names and OK
On the object tab, select Apply to "Descendant User objects"
Allow the following 2 permissions:
Change password  and  Reset password
Click OK, OK, OK
smpvmAuthor Commented:
Thank you all, the permission is set correctly as per your advice.
Now the last part is to provide a solution which will help the "technician" to connect "Active Directory users and computers" console from his windows 7 Desktop, I don't want to give him RDP connection to the Domain Controller because i am afraid he may restart or shutdown the server by mistake.

Anyone, no matter what permissions, could use RSAT to connect to a DC.
smpvmAuthor Commented:
What is RSAT ?
VB ITSConnect With a Mentor Specialist ConsultantCommented:
Once you've downloaded and installed RSAT on the technician's Windows 7 machine, you will need to enable the required RSAT modules through Control PanelPrograms and FeaturesTurn Windows features on or off
smpvmAuthor Commented:
I successfully installed RSAT using the above link on the "technician" computer but i find a security issue, by mistake i installed the RSAT using another user say "user1"  and i came to understand that from user1 profile i able to view the Active Directory users and computers Hierarchy in Read Only mode, which is a big security issue, Can you please suggest me how can i implement a counter measure from the domain controller so that everyone or authenticated normal users should not have the privilege to view Active Directory users and computers Hierarchy , DNS, DHCP, etc... all AD tools.

Please Help.

By default, with or without RSAT, any user may browse Active Directory. This is NOT a security issue.
smpvmAuthor Commented:
Hello McKnife,

Is it possible to prevent this default behavior ?

VB ITSSpecialist ConsultantCommented:
Unfortunately there's no easy way to do this, as the read access to AD is by design. It's not exactly a security risk either as other LDAP browsers will be able to retrieve the data in AD with or without RSAT installed.

If you must, you can look at blocking use of all MMCs through Group Policy but again, this won't stop other programs from reading AD data in your organisation.
Every object in AD has an ACL, every user, computer, GPO,... so yes, we can block read access to those - if you know the consequences, go ahead.
smpvmAuthor Commented:
Thank you this solution is perfect
smpvmAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for smpvm's comment #a40597741
Assisted answer: 125 points for VB ITS's comment #a40583484
Assisted answer: 125 points for zalazar's comment #a40583804
Assisted answer: 125 points for McKnife's comment #a40585717
Assisted answer: 125 points for VB ITS's comment #a40586032

for the following reason:

Good Solution
smpvmAuthor Commented:
Good Solution
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.