For those wanting to allow other users (preferably groups), inside or outside of your domain, to perform password resets but nothing more:
There are three permissions I consider part of a ‘password reset delegation policy’
- Reset Password – this one allows the group to reset the password for a user (administratively, that is they don’t need to know the previous password)
- Read/Write pwdLastSet – this allows the setting of the “user must change password on next logon” flag – which I consider required when resetting a user password
- Read/Write lockoutTime – assuming you have an account lockout policy, most users will keep guessing passwords until they are locked out before contacting the help desk for assistance. This allows your delegated group to simply remove the ‘Account is locked out’ box on the user’s account property – account tab.
Open Active Directory Users and Computers, you will need to have Advanced Features enabled (Click on View pulldown menu from the title bar – a checkmark to the left of Advanced Features signifies it is enabled).
If you have not done so, create a User Group for this delegation (in the below example: Help Desk-Password Reset). If you are granting rights to users in another domain (but still in your same forest) you will need to make this group a Universal Group. Otherwise a Global group is fine for delegating to users inside your domain.
Then navigate to the Organizational Unit you want to delegate password reset rights to and right mouse click the OU. Drop down to and click on properties. On the <OU_NAME> Properties window click advanced.
On the Advanced Security Settings for <OU_NAME> Window click Add
When prompted enter or search for your security group and click OK. You then have the Permission Entry for <OU_NAME> Window
Change Apply onto to User Objects. Check the box for allow “Reset Password”
Next we will set the advanced properties of forcing password change at next logon. Click the properties tab in the upper right and you will see:
Change the Apply onto to User Objects, then scroll down to pwlLastSet. Check Allow for read and write.
Finally if you want your delegated group to be able to unlock accounts that are locked out, scroll up to lockoutTime
Check to allow read and write lockoutTime. Click OK.
The Summary Page “Advanced Security Settings for users” will now have three entries as shown here:
Click OK – and add the appropriate users to your new Delegated Security – Users Group
Distinction between "Reset Password" and "Change Password" permission. From http://www.primaryobjects.com/CMS/Article66.aspx
"Resetting a user’s password is an administrative function and does not require the user’s existing password. You simply specify the new password and the user’s account is instantly changed. This is used in the case where the user has forgotten his password or where the password is simply not available.
Changing a user’s password requires the user’s existing password. Active Directory will first encrypt the existing password you supply and compare it against the encrypted password in the Active Directory database. If the passwords match, the new password that you supply will be set. If the passwords do not match, an exception will be thrown."