Delegate password reset Active Directory permission

2 minutes to read

Delegate Control - Reset user passwords

This is a very easy way to delegate password reset active directory permission for a specific team from your company, in the same time you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords.

One of the strengths of Active Directory, or at least the management part of it, is the capability to delegate permissions to modify various aspects of the directory to your lower privileged users. To this end, your service desk team can have the capability to reset user passwords to their support desks or managers over certain departments. Here’s how to set up delegation for a group of users to have the capability of setting passwords for another subset of users in a particular OU.

Note: A recommendation is to have an OU structure that will permit you to delegate password for a specific OU, depends on how structured users are in your active directory.

Step-by-step delegate password:

  1. Open Active Directory Users and Computers.
  2. Right-click on the user or group you want to delegate and click Delegate Control…Delegate password reset active directory permission
  3. Click Next on the Welcome Wizard.
  4. Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
  5. Click OK once you’ve made your selection, followed by Next.
  6. Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next login.
  7. Click Next, and check your choose, after click Finish.

Delegating permissions is a very good way to empower your help desk, managers or other power users to help you with some of the daily IT tasks, making it difficult to concentrate on important or other interesting tasks.

To check the Delegated permission, go to one of the user’s Properties, Security tab, Advanced, click one of the entries, click Edit and check in Permissions if the “Change/Reset password” box is checked.

Leave a Reply

Your email address will not be published.Required fields are marked *