One of the strengths of Active Directory, or at least the management part of it, is the capability to delegate permissions to modify various aspects of the directory to your lower privileged users. To this end, your service desk team can have the capability to reset user passwords to their support desks or managers over certain departments. Here’s how to set up delegation for a group of users to have the capability of setting passwords for another subset of users in a particular OU.
Step-by-step delegate password:
- Open Active Directory Users and Computers.
- Right-click on the user or group you want to delegate and click Delegate Control…
- Click Next on the Welcome Wizard.
- Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
- Click OK once you’ve made your selection, followed by Next.
- Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next login.
- Click Next, and check your choose, after click Finish.
Delegating permissions is a very good way to empower your help desk, managers or other power users to help you with some of the daily IT tasks, making it difficult to concentrate on important or other interesting tasks.
To check the Delegated permission, go to one of the user’s Properties, Security tab, Advanced, click one of the entries, click Edit and check in Permissions if the “Change/Reset password” box is checked.