<div>
They ended up not needing this permission.
</div>


<div>
<div class="content wysiwyg-content">
Does anyone know of an easy way to delegate permission to modify the unicodePwd attribute? <br />
<br />
Third-party is trying to assist with LDAP based password resets, and they are insisting permission to this attribute is needed. I don't even see that attribute in the Security tab for User Objects in Active Directory when I go to check available permissions. <br />
<br />
Or is there another minimum list of permissions needed for carrying out password resets in Active Directory via LDAP? <br />
<br />
I delegated typical permissions:<br />
<br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Change Password <br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reset Password <br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Read userAccountControl <br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Write userAccountControl<br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Read lockoutTime<br />
• &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Write lockoutTime<br />
&nbsp;<br />
But they get the following error when trying to carry out a password reset: <br />
<br />
error: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
</div>
</div>


Does anyone know of an easy way to delegate permission to modify the unicodePwd attribute? 

Third-party is trying to assist with LDAP based password resets, and they are insisting permission to this attribute is needed. I don't even see that attribute in the Security tab for User Objects in Active Directory when I go to check available permissions. 

Or is there another minimum list of permissions needed for carrying out password resets in Active Directory via LDAP? 

I delegated typical permissions:

•	Change Password 
•	Reset Password 
•	Read userAccountControl 
•	Write userAccountControl
•	Read lockoutTime
•	Write lockoutTime
 
But they get the following error when trying to carry out a password reset: 

error: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

Attribute permission - unicodePwd?

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.