Advertisement

Granting Users Password Change Ability
(Password Administration)

KB ID 0000503 Dtd 14/09/11

Problem

This is a two part operation, firstly you need to give the user(s) the rights to change passwords, then give them the tools to do so.

Solution

Step 1: Grant the rights (Delegation of Control)

1. Whilst logged into a domain controller with administrative access, open "Active Directory Users and Computers" and create a group that you are going to allow password reset rights to. Note: In this example I've created it in the same OU, in practice you would probably create the group elsewhere in AD.

create a group

2. We are going to need to create a security group, give it a sensible name.

create a group

3. At this point I'm also going to create a test user - (you will see why later), in the same OU that I'm going to grant password reset rights to.

create a group

4. Right click the OU containing the users you want to grant password reset rights to (Or like in this example, the parent OU). Then select "Delegate Control".

create a group

5. At the welcome screen > Next.

create a group

6. Add > Locate the group you created earlier > OK > Next.

create a group

7. Grant the "Reset user passwords and force password change at next logon" > Next.

create a group

8. Finish.

create a group

9. Finally add the user(s) you want to grant reset rights to to the group you created earlier.

create a group

Step 2 Give the user the tools - Option 1 (Create a Task Pad)

1. While still on your domain controller (or a machine with the RSAT tools Installed), Start > In the search/run box type mmc {enter}.

create a group

2. File > Add/Remove snap-in > Locate and add the "Active Directory Users and Computers" snap-in > Add > OK.

create a group

3. Right click the OU you are granting rights to > "New Taskpad View" (Note: you may need to turn on advanced view {view > Advanced options}).

create a group

5. Next.

create a group

6. Set as required > Next.

create a group

7. Leave on defaults > Next.

create a group

8. Add a name and description > Next.

create a group

9. Make sure the "Add new tasks..." is selected > Finish.

create a group

10. Next.

create a group

11. Menu command > Next

create a group

12. Select the test user you created above > Select "Reset Password" > Next.

create a group

13. This is what the user will see in their taskpad as an option > Next.

create a group

14. Select an icon > Next.

create a group

15. If you want to add anything else, leave the box ticked to re-run > Otherwise > Finish. Lets remove all the bits we don't need > View > Customise > Untick everything > OK.

create a group

16. File > Options > Give the console a name > Select "User mode - limited access single window" > Untick "Allow the user to customise views" > Note: You might want to tick "Do not save changes to the console" > Apply > OK.

create a group

17. File > Save > Put the file somewhere you can find it.

create a group

18. Now your password admins can run this taskpad and have the "Reset password option".

Note: For them to be able to run this on their client machines they need the following installing on their machines:

XP Clients and 2003 Server: adminpack.msi (you will find it in the system32 folder on your (2003)domain controllers.

Vista Clients and 2008 Server: Install the Vista RSAT Tools (download).

Windows 7 Clients and Server 2008 R2: Install the Windows 7 RSAT Tools (download).

create a group

Step 2 Give the user the tools - Option 2 (Use NTAdmin)

1. Yes its an old tool but it's simple and it works! Good for help desk staff and technophobes! Download NTAdmin > When you run it, browse > select the user in question > OK.

create a group

2. Click ResetPW > take the default of "welcome", or choose a new one > Yes > OK.

create a group

 

Related Articles, References, Credits, or External Links

NA