Password Control – Delegating Permissions

Normal users are not given permissions by default to change other user’s passwords. Members of the Account Operators group are given this permission by default, but membership in this group will also give the user additional privileges. You will probably prefer to delegate only the permissions required to the users who require access to password control. The easiest way to delegate these permissions it to use the delegation of control wizard. I will walk you through the steps required to delegate the appropriate permissions.
** Please note that you should be fully aware of the consequences of using the delegation of control wizard before running this procedure on your production domain.

  • Load Active Directory Users and Computers
  • Navigate to the OU containing your organizations user accounts.
  • Right Click the OU – All Tasks – Delegate Control
  • Click Next.
  • Select the user accounts or groups that will use Password Control. I’ve created a security group called “Password Control” for the purpose of giving users access to the Password Control program.
Delegation Of Control Wizard - Users or Groups Step
  • Click Next.
  • Select “Create a custom task to delegate”
Delegation Of Control Wizard - Tasks to Delegate Step
  • Click Next.
  • Select “Only the following objects in the folder”
  • Check “User Objects”
Delegation Of Control Wizard - Active Directory Object Type Step
  • Click Next
  • Select the “General” & “Property-specific” check boxes.
  • Select “Reset Password”, “Write pwdlastset”, “Write userAccountControl” and “Write lockoutTime”
Delegation Of Control Wizard - Permissions Step
  • Click Next
  • Click Finish

Please note that there is no way to undo the actions performed by the delegation of control wizard. If you need to modify the security, you will need to enable the “advanced features” in Active Directory Users and Computers so that the Security tab becomes available.

Some of the permissions delegated might not be obvious:

  • pwdlastset – Required to force the password change at next logon
  • userAccountControl – Required to enable/disable user accounts.
  • Reset Password – Allows you to reset a users password.
  • lockouttime – Required to unlock user accounts. User accounts are automatically unlocked by password control when you change a user’s password.