This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 76%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
I am looking for a method to allow some IT people so they can reset the password of some specific users from a given OU. For example, let's say there is an OU named HR , there are many people in HR OU including users1, user2, user3. Now I want to delegate a local IT person so he can just reset the password of only users1, user2, user3 not whole OU users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
You can delegate a admin account to reset or change password on some users.
Go on each user account properties -> security -> Advanced -> Add as mentioned below:
Please don't forget to mark helpful reply as answer
I have thousands of users to which I want to delegate permission so IT guys can reset the password of those particular users. This is very hard task to go on properties of each and user and do the delegation. Could you suggest some other way please?
Hi,
If there are many user accounts, you can create a new child OU and move them in this child OU in order to set this delegation on OU level . This is the best way.
Please don't forget to mark helpful reply as answer
Due to security concern we cannot move them in another OU. They should must be in their respected regional OU.
If you have the list of all users accounts and admin accounts ,it's possible to use a powershell script but it's complicated to set up .
Please don't forget to mark helpful reply as answer
Could you suggest some other way please?
Our security team built an .ASPX (Dot Net) web site to allow help desk support technicians to perform that process. The web site was configured to authenticate, but not impersonate the client. The code would enumerate the users AD group membership. If they were NOT a member of the Help-Desk-Users group, they were shown a "Sorry, you are not authorized" message.
The page then prompted the user for the account ID, and did a lookup on it to get AD properties and also read the HR database. The Help Desk techs were instructed to ask the person on the phone to verify something like their date of birth or address to insure that they were who they claimed to be. They could then enter a new password.
The IIS worker process identity for the site was configured as an AD account that had the permissions within AD to set a user's password.
The site would log the activity to maintain an audit trail. It some cases it would email managers to alert them.
It's not an "out of the box" solution, as you would to have to write the code that applies to your environment, but you would have complete control over it's functionality.
We also have SSPR portal but the problem is those employees are hourly worker and they do not have any machine assigned. They access our system for attendance nd salary slip only. So they do not know how to operate the computer, they are machine operate in factory and labor work. So our SSPR solution does not fit them.
As suggested there are only two method to achieve your goal, implement an account management solution or delegate the permissions and use the native tools.
Rather than using ADUC to set the permissions on the users, you could use dsacls to automate the changing of the permissions.
For decals the command would be
Dsacls <user_object_dn> /g "<it_staff_name>:CA;reset password"
Gary.