Permissions an Account Needs to Reset and Change AD passwords and to Unlock AD Accounts

Permissions an Account Needs to Reset and Change AD passwords and to Unlock AD Accounts

Web Active Directory recommends that you create an account in your domain dedicated to resetting passwords in PeoplePassword. PeoplePassword uses this account to bind to your Active Directory to perform password reset operations instead of passing the PeoplePassword user’s credentials to Active Directory for binding. Web Active Directory has chosen to implementa proxy account model instead of passing user credentials to simplify the Active Directory configuration required to run PeoplePassword. You only need to configure Active Directory permissions that delegate reset password permissions to the PeoplePassword account.

Notes:
PeoplePassword requires that your account have permissions to reset passwords and force password reset at next logon as well as to unlock AD accounts. Once you create the PeoplePassword account in your domain, use the procedures below to grant the necessary permissions to 1) reset Active Directory passwords, 2) change Active Directory passwords, and 3) unlock Active Directory accounts using PeoplePassword. Each procedure uses the Delegation of Control wizard to delegate administrative password resets and Windows account unlocks to your service account.

Procedure 1: To grant Microsoft Active Directory password reset permissions to your PeoplePassword account:

  1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
  2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
  3. Click Delegate Control to open the Delegation of Control Wizard.
  4. Click Next to proceed past the wizard’s welcome page.
  5. Click Add and find the PeoplePassword account you created previously.
  6. Click Next to proceed.
  7. Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
  8. Click Next to proceed.
  9. Review the changes and ensure the changes are correct.
  10. Click Finish to save your changes and close the wizard.

You need to run the Delegation of Control wizard one more time to delegate the AD unlock account privilege. Follow Procedure 2 to complete this action. This privilege is controlled by the AD lockoutTime attribute and you cannot delegate it using a common task like you did for the reset password privileges.

Notes:
The change password privilege is granted to Everyone automatically since you are required to know your old password in order to change it.

Procedure 2: To grant Active Directory unlock account permissions to your PeoplePassword account:

  1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
  2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PeoplePassword to manage) and choose Properties.
  3. Click Delegate Control to open the Delegation of Control Wizard.
  4. Click Next to proceed past the wizard’s welcome page.
  5. Click Add and find the PeoplePassword account you created previously.
  6. Click Next to proceed.
  7. Choose Create a custom task to delegate and click Next.
  8. Choose Only the following objects in the folder from the Delegate control of option.
  9. Check the User objects option as the object to which to delegate.
  10. Click Next to proceed.
  11. Ensure Property-specific is checked.
  12. Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
  13. Click Next to proceed.
  14. Review the changes and ensure the changes are correct.
  15. Click Finish to save your changes and close the wizard.

You should now be ready to run PeoplePassword to reset and change Active Directory passwords and unlock Active Directory accounts.

Resources


    • Related Articles

    • Why everyone has permissions to change passwords in Active Directory

      The everyone group is set on all new user objects by default with the ability to change user account passwords (given the password is known). This isn’t set through inheritance, but rather from default objectclass=user permissions set through ...
    • Check effective permissions in Active Directory

      Description You can check the effective permissions in Active Directory to determine the privileges that one account has on another account. Notes Web Active Directory products typically use a service account to connect to Active Directory and ...
    • Create a service account for PeoplePlatform

      Web Active Directory recommends that you create a service account in your Active Directory domain dedicated to creating new accounts for PeoplePlatform, use the service account to bind to your Active Directory to perform search and account creation ...
    • Why do I get a General Access Denied Error in my Application?

      You might see an error similar to the following in the Application event log or error log file for your local application installation. “Exception occurred in Active Directory: General access denied error” This usually indicates a permissions error ...
    • Why do Active Directory Permissions Revert After I Set Them?

      Active Directory has a feature that keeps privileged users like Domain Admins from locking themselves out of Active Directory by incorrectly setting permissions. The AdminSDHolder object and its Active Directory worker code is used by Domain ...