I have made a service that has the capability to reset, changes passwords, unlock a locked out account, and read AD profile values (e.g. sn, firstname etc) of some domain user after the user verifies himself through phone. On the target domain server, there exists a privileged account who is capable of doing these tasks. I use .NET framework Directory Services API and use the privileged account to perform tasks. So far, my privileged account was basically a domain admin and was capable of doing way more then required. Now, as the part of trial runs, I need to know the exact policies I need to have in order to do these tasks only:
- Reset a user password
- Reset a user password and mark the password as expired
- Change a user password (user will provide current password)
- Unlock a locked account
- Read a user's AD profile property
Can someone list the required privileges I can configure a special account and make it a part of deployment documentation.
Best Answer
The feature you are looking for is Active Directory Rights Delegation. It lets you assign a user or group rights to do things like reset password, edit specific Active Directory attributes, etc.
Setting it up is as simple as right-clicking on an OU in Active Directory Users and Computers and picking "Delegate Control...". You could probably figure it out without reading Microsoft's documentation, but I recommend you read it anyway.