Service accounts to be able to reset password on windows

Hello, I have a service account that's being used by our VPN sonicwall, fortinet firewall, barracuda anti spam, MySQL, and zimbra email to be able to authenticate or query active directory. How can I make sure that this service account can and be able to reset password for users when they are logged in on one of those hardware?
LVL 1
SuperRootAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
How can I make sure that this service account can and be able to reset password for users when they are logged in on one of those hardware? You don't want this accounts password to change so make sure that its properties is never expire. This account must be a member of the domain admins or delegated to do a password change for a user. Normally this is not done by these items but by the user using ldap
0
SuperRootAuthor Commented:
I don't think domain admins is a good idea. Delegating password? What's the best practice to do so? I'd like it when a user is on an group or ou that the service account can reset it's password.
0
David Johnson, CD, MVPOwnerCommented:
anyone can change their own password BUT not another users password ONLY administrators or users with delegated permissions .. Those items mentioned use LDAP or kerberos  to query AD and get back a token.. they don't have the rights to change a pasword but simply ask AD if the username exists and if the password matches the username. which they then get an authorization token and this token then is used for further access.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

SuperRootAuthor Commented:
Thanks for your help! Can I follow the link below to grant permission to the service account? http://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff
0
David Johnson, CD, MVPOwnerCommented:
Yes that is the procedure
0
compdigit44Commented:
I would not recommend using one domain user account across all devices but assign each appliance its own domain user account which is delegated the necessary rights.

This adds in auditing and prevent and issue where one account gets locked out, it would affect one appliance and not all three
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.