Granting Users Password Change Ability (Password Administration)

KB ID 0000503

Problem

This is a two part operation, firstly you need to give the user(s) the rights to change passwords, then give them the tools to do so.

Solution

Step 1: Grant the rights (Delegation of Control)

1. Whilst logged into a domain controller with administrative access, open “Active Directory Users and Computers” and create a group that you are going to allow password reset rights to. Note: In this example I’ve created it in the same OU, in practice you would probably create the group elsewhere in AD.

2. We are going to need to create a security group, give it a sensible name.

3. At this point I’m also going to create a test user – (you will see why later), in the same OU that I’m going to grant password reset rights to.

4. Right click the OU containing the users you want to grant password reset rights to (Or like in this example, the parent OU). Then select “Delegate Control”.

5. At the welcome screen > Next.

6. Add > Locate the group you created earlier > OK > Next.

7. Grant the “Reset user passwords and force password change at next logon” > Next.

8. Finish.

9. Finally add the user(s) you want to grant reset rights to to the group you created earlier.

Step 2 Give the user the tools – Option 1 (Create a Task Pad)

1. While still on your domain controller (or a machine with the RSAT tools Installed), Start > In the search/run box type mmc {enter}.

2. File > Add/Remove snap-in > Locate and add the “Active Directory Users and Computers” snap-in > Add > OK.

3. Right click the OU you are granting rights to > “New Taskpad View” (Note: you may need to turn on advanced view {view > Advanced options}).

5. Next.

6. Set as required > Next.

7. Leave on defaults > Next.

8. Add a name and description > Next.

9. Make sure the “Add new tasks…” is selected > Finish.

10. Next.

11. Menu command > Next

12. Select the test user you created above > Select “Reset Password” > Next.

13. This is what the user will see in their taskpad as an option > Next.

14. Select an icon > Next.

15. If you want to add anything else, leave the box ticked to re-run > Otherwise > Finish. Lets remove all the bits we don’t need > View > Customise > Untick everything > OK.

16. File > Options > Give the console a name > Select “User mode – limited access single window” > Untick “Allow the user to customise views” > Note: You might want to tick “Do not save changes to the console” > Apply > OK.

17. File > Save > Put the file somewhere you can find it.

18. Now your password admins can run this taskpad and have the “Reset password option”.

Note: For them to be able to run this on their client machines they need the following installing on their machines:

XP Clients and 2003 Server: adminpack.msi (you will find it in the system32 folder on your (2003)domain controllers.

Vista Clients and 2008 Server: Install the Vista RSAT Tools (download).

Windows 7 Clients and Server 2008 R2: Install the Windows 7 RSAT Tools (download).

Step 2 Give the user the tools – Option 2 (Use NTAdmin)

1. Yes its an old tool but it’s simple and it works! Good for help desk staff and technophobes! Download NTAdmin > When you run it, browse > select the user in question > OK.

2. Click ResetPW > take the default of “welcome”, or choose a new one > Yes > OK.

 

Related Articles, References, Credits, or External Links

NA