Additional Permissions needed for a Service Account to Reset and Change AD passwords and Unlock AD Accounts.
June 28, 2018 at 11:20 am Leave a comment
In some scenarios we had to delegate the permission for a Junior Administrator to do some AD related tasks ,for example change/reset the AD user password , Unlock user account , etc. In this case most of the articles I have googled and referred pointing only to enable the
“Reset user passwords and force password change at next logon “. But what I realized is that this alone will not grant your the required permission.
Thus additionally you need to add a custom level delegation as provided below;
- Create a custom task to delegate and click Next.
- Select Only the following objects in the folder from the Delegate control of option.
- Select the User objects option as the object to which to delegate.
Click Next to proceed.(Ensure Property-specific is selected.) - Scroll down to select the Read lockout Time and Write lockout Time.
- Review the changes and click next to complete the wizard.
Please note that I have not listed any detailed steps on how to create the delegation rules as there are plenty of articles available on the Internet that provides a very descriptive guidelines along with the screenshots.
Entry filed under: Windows. Tags: active directory, delegate, force password change.
Hope you like it.. 
Trackback this post | Subscribe to the comments via RSS Feed