Permissions a Service Account Needs to Reset and Change AD passwords and to Unlock AD Accounts

  1. Home
  2. Knowledge Base
  3. PeopleUpdate
  4. Permissions a Service Account Needs to Reset and Change AD passwords and to Unlock AD Accounts
  1. Home
  2. Knowledge Base
  3. PeoplePassword
  4. Permissions a Service Account Needs to Reset and Change AD passwords and to Unlock AD Accounts
  1. Home
  2. Knowledge Base
  3. IISADMPWD Replacement
  4. Permissions a Service Account Needs to Reset and Change AD passwords and to Unlock AD Accounts

Web Active Directory recommends that you create a service account in your domain dedicated to resetting passwords in PeoplePassword. PeoplePassword uses the service account to bind to your Active Directory to perform password reset operations instead of passing the PeoplePassword user’s credentials to Active Directory for binding. Web Active Directory has chosen to implement the service account model instead of passing user credentials to simplify the Active Directory configuration required to run PeoplePassword. You only need to configure Active Directory permissions that delegate reset password permissions to the PeoplePassword service account.

Notes
PeoplePassword requires that your service account have permissions to reset passwords and force password reset at next logon as well as to unlock AD accounts. Once you create the PeoplePassword service account in your domain, use the procedures below to grant the necessary permissions to 1) reset Active Directory passwords, 2) change Active Directory passwords, and 3) unlock Active Directory accounts using PeoplePassword. Each procedure uses the Delegation of Control wizard to delegate administrative password resets and Windows account unlocks to your service account.

Procedure 1: To grant Microsoft Active Directory password reset permissions to your PeoplePassword service account:

  1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
  2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
  3. Click Delegate Control to open the Delegation of Control Wizard.
  4. Click Next to proceed past the wizard’s welcome page.
  5. Click Add and find the PeoplePassword service account you created previously.
  6. Click Next to proceed.
  7. Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
  8. Click Next to proceed.
  9. Review the changes and ensure the changes are correct.
  10. Click Finish to save your changes and close the wizard.

You need to run the Delegation of Control wizard one more time to delegate the AD unlock account privilege. Follow Procedure 2 to complete this action. This privilege is controlled by the AD lockoutTime attribute and you cannot delegate it using a common task like you did for the reset password privileges.

Notes
The change password privilege is granted to Everyone automatically and you can read more information about the reasons for this at http://webactivedirectory.com/knowledge-base/everyone-permissions-change-passwords-active-directory/

Procedure 2: To grant Active Directory unlock account permissions to your PeoplePassword service account:

  1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
  2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
  3. Click Delegate Control to open the Delegation of Control Wizard.
  4. Click Next to proceed past the wizard’s welcome page.
  5. Click Add and find the PeoplePassword service account you created previously.
  6. Click Next to proceed.
  7. Choose Create a custom task to delegate and click Next.
  8. Choose Only the following objects in the folder from the Delegate control of option.
  9. Check the User objects option as the object to which to delegate.
  10. Click Next to proceed.
  11. Ensure Property-specific is checked.
  12. Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
  13. Click Next to proceed.
  14. Review the changes and ensure the changes are correct.
  15. Click Finish to save your changes and close the wizard.

You should now be ready to run PeoplePassword to reset and change Active Directory passwords and unlock Active Directory accounts.

Resources

Was this article helpful?

Related Articles

Sign in
classic
Forgot password?
×
Sign up

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy

×