Web Active Directory recommends that you create an account in your domain dedicated to resetting passwords in PeoplePassword. PeoplePassword uses this account to bind to your Active Directory to perform password reset operations instead of passing the PeoplePassword user’s credentials to Active Directory for binding. Web Active Directory has chosen to implementa proxy account model instead of passing user credentials to simplify the Active Directory configuration required to run PeoplePassword. You only need to configure Active Directory permissions that delegate reset password permissions to the PeoplePassword account.

Notes:
PeoplePassword requires that your account have permissions to reset passwords and force password reset at next logon as well as to unlock AD accounts. Once you create the PeoplePassword account in your domain, use the procedures below to grant the necessary permissions to 1) reset Active Directory passwords, 2) change Active Directory passwords, and 3) unlock Active Directory accounts using PeoplePassword. Each procedure uses the Delegation of Control wizard to delegate administrative password resets and Windows account unlocks to your service account.

Procedure 1: To grant Microsoft Active Directory password reset permissions to your PeoplePassword account:

1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
   
2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
   
3. Click Delegate Control to open the Delegation of Control Wizard.
   
4. Click Next to proceed past the wizard’s welcome page.
   
5. Click Add and find the PeoplePassword account you created previously.
   
6. Click Next to proceed.
   
7. Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
   
8. Click Next to proceed.
   
9. Review the changes and ensure the changes are correct.
   
10. Click Finish to save your changes and close the wizard.
    

You need to run the Delegation of Control wizard one more time to delegate the AD unlock account privilege. Follow Procedure 2 to complete this action. This privilege is controlled by the AD lockoutTime attribute and you cannot delegate it using a common task like you did for the reset password privileges.

Notes:
The change password privilege is granted to Everyone automatically since you are required to know your old password in order to change it.

Procedure 2: To grant Active Directory unlock account permissions to your PeoplePassword account:

1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
   
2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
   
3. Click Delegate Control to open the Delegation of Control Wizard.
   
4. Click Next to proceed past the wizard’s welcome page.
   
5. Click Add and find the PeoplePassword account you created previously.
   
6. Click Next to proceed.
   
7. Choose Create a custom task to delegate and click Next.
   
8. Choose Only the following objects in the folder from the Delegate control of option.
   
9. Check the User objects option as the object to which to delegate.
   
10. Click Next to proceed.
    
11. Ensure Property-specific is checked.
    
12. Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
    
13. Click Next to proceed.
    
14. Review the changes and ensure the changes are correct.
    
15. Click Finish to save your changes and close the wizard.
    

You should now be ready to run PeoplePassword to reset and change Active Directory passwords and unlock Active Directory accounts.

Resources

• How can I delegate the right to unlock locked Active Directory (AD) user accounts?:   http://active-server-directory.blogspot.com/2009/05/how-can-i-delegate-right-to-unlock.html
  
• Windows Server: Active Directory’s delegation of control wizard: https://www.youtube.com/watch?v=I7ighW…
  
• Step-by-Step Guide to Using the Delegation of Control Wizard: http://www.activewin.com/win2000/step...
  
• Delegating administration: http://technet.microsoft.com/en-us/li…
  
• How To Delegate the Unlock Account Right: http://support.microsoft.com/kb/294952