SCENARIO: Your librarians or other departmental staff want to be able to reset user account passwords for a particular organizational unit within your organization. You obviously don’t want to give them Domain Administrator rights nor do you want to give them access to other secured resources that they don’t need. The process documented in this tutorial will allow you to reduce help desk calls and allow other users to efficiently get work done in a timely manner.
What Are The Drone Anti-jamming Systems Technology?
Delegating Active Directory Permission to Reset Passwords
1. Page 1 of 25
Delegating Permission to Reset Passwords
Created by. Travis Kench – travis@tkcomputersolutions.com – 1/3/2017
SCENARIO: Your librarians or other departmental staff want to be able to reset user account passwords
for a particular organizational unit within your organization. You obviously don’t want to give them
Domain Administrator rights nor do you want to give them access to other secured resources that they
don’t need.
SOLUTION: Create a custom Active Directory Users & Computers (ADUC) Microsoft Management
Console (MMC) while utilizing the Delegation of Control Wizard in Active Directory to assign permissions
to a particular group that only allows them to reset the password of an account. Using ADUC and the
Delegation of Control Wizard you can manipulate this setup to assign a user/group numerous
permissions to do certain tasks that will make their lives easier along with decreasing the number of
help desk tickets you may have to handle.
I will be using a Windows 10 client and a Windows Server 2012 R2 server for my demonstration. This
tutorial also applies to the following client & server operating systems: Windows 7, 8, 8.1, 10, Server
2008, 2008 R2, 2012, and 2012 R2.
Install Remote Server Administration Tools (RSAT) on the end users computer.
1) On the users local computer who will be utilizing this custom ADUC MMC snap-in you will need
to install the RSAT executable that is specific for their particular version of Windows.
a. Windows 7 RSAT
b. Windows 8 RSAT
c. Windows 8.1 RSAT
d. Windows 10 RSAT
2) Once the RSAT tools are installed we will need to enable the features within the local computers
Control Panel via the Programs and Features control panel.
Windows 10 RSAT Setup
a. Right-click the Start Menu Windows icon > Programs and Features > Turn Windows
features on or off
b. Uncheck the selection labeled Remote Server Administration Tools
c. Expand Remote Server Administration Tools
d. Expand Role Administration Tools
e. Expand AD DS and AD LDS Tools
f. Expand AD DS Tools
g. Enable AD DS Snap-ins and Command-line Tools and click OK.
2. Page 2 of 25
Create a custom Global Security group in Active Directory.
3) On the server open Active Directory Users and Computers > Right-click on the Organization Unit
(OU) where you want to store the group > select New > and then select Group.
4) Give the Global Security group a meaningful name so that it is easy to tell who should be in the
group as well as what they may be allowed to do. Within our school district we have building
level IT representatives that help with certain tasks so I will name our group “IT Building Reps”.
Once you have configured the settings shown below click OK.
3. Page 3 of 25
5) Add your designated users to the Global Security group. Double-click the group’s name and then
click Add.
6) Go to the Members tab and click Add. Once you have added in all of your members click Apply
and then OK.
4. Page 4 of 25
Utilize the Delegation of Control Wizard to Assign Permissions
7) Right-click on the users OU that you want to enable users to reset passwords for and select
Delegate Control…
8) On the Welcome to the Delegation of Control Wizard window, click Next.
5. Page 5 of 25
9) Delegation of Control Wizard: Users or Groups window, click Add.
10) Input the group name that you created in Step 4, click Check Names to verify you typed the
group’s name correctly and then click OK.
6. Page 6 of 25
11) At the following screen click Next.
12) Delegation of Control Wizard: Tasks to Delegate window, enable the checkbox next to Reset
user passwords and force password change at next logon and click Next.
7. Page 7 of 25
13) Completing the Delegation of Control Wizard window, click Finish.
Verifying the permissions you created with the Delegation of Control Wizard
14) Within ADUC, click the View tab at the top of the screen and make sure the Advanced Features
menu-item has a check mark next to it showing you that it is enabled. If it isn’t enabled just click
on Advanced Features and it will then be enabled.
8. Page 8 of 25
15) Right-click on the user OU that you selected in Step 7 and select the Properties menu-item.
16) Select the Security tab, verify that the Global Security group that you created in Step 4 appears
in the list. Highlight your Global Security group’s name and click Advanced.
9. Page 9 of 25
17) Verify that the permission to access the task for “Reset Password” has been granted to your
custom Global Security group and that it applies to Descendant User objects, then click Edit.
18) You should now see a number of tasks that could potentially be delegated.
10. Page 10 of 25
19) Click OK three times to bring you back to the MMC window.
Creating a custom MMC snap-in
20) Right-click the Start Menu Windows icon and select Run.
11. Page 11 of 25
21) At the Run dialog box type mmc and click OK.
22) Within the MMC window click on File then select Add/Remove Snap-in.
23) Highlight Active Directory Users and Computers, click Add, and then click OK.
12. Page 12 of 25
24) Right-click on the OU that you selected in Step 6 then select New Window from Here.
25) Now you will have a console window popup that only shows the end user only the users OU that
you want them to see.
13. Page 13 of 25
Creating a Taskpad View
IMPORTANT: If you only have one parent OU and no child user OUs then you will only need to go
through steps 26-37 once. However if you have multiple child OUs under your parent users OU then you
will need to do all the steps in 26-37 on each of those OUs.
26) Right-click on the user OU that you selected in Step 7 and select New Taskpad View.
27) New Taskpad View Wizard window - Click Next.
14. Page 14 of 25
28) New Taskpad View Wizard: Taskpad Style window - Click Next.
29) New Taskpad View Wizard: Taskpad Reuse window - Enable the setting for Selected tree item
and then click Next.
15. Page 15 of 25
30) New Taskpad View Wizard: Name and Description window - A name is generally prepopulated
based on the OUs name but you can change it to something more meaningful if you like. Once
you have the name field filled click Next.
31) New Taskpad View Wizard: Completing the New Taskpad View Wizard window - Leave the check
box enabled for Add new tasks to this taskpad after the wizard closes and then click Finish.
16. Page 16 of 25
Creating a New Task
32) New Task Wizard: Welcome to the New Task Wizard window - Click Next.
33) New Task Wizard: Command Type window - Select the button next to Menu command and then
click Next.
17. Page 17 of 25
34) New Task Wizard: Menu Command window - In the “Command source” drop down box make
sure that Item listed in the results pane is chosen, under the list of “Available commands” make
sure to highlight Reset Password, then click Next.
35) New Task Wizard: Name and Description window - Click Next.
18. Page 18 of 25
36) New Task Wizard: Task Icon window - Choose a meaningful icon for the task you are assigning
then click Next. Ex) I will assign the password reset task the icon of the computer with a key
because that would identify it as a computer security related task.
37) New Task Wizard: Completing the New Task Wizard window - Click Finish.
19. Page 19 of 25
38) You should now be back at the custom MMC window. If you open the users OU and then click
on a user you will see that whomever you provide access to use the MMC they will only have
access to reset a user’s password, force the user to change their password, and unlock their
account.
39) When you click the reset password task they will see the following popup.
20. Page 20 of 25
Modifying the custom MMC view so that the end user cannot edit it, add any other snap-ins, or view
any other items that they don’t need to.
40) Within the MMC window, click the View tab, then click on Customize.
41) You will then see the following popup window. Deselect all the checkboxes, except Console
tree, Taskpad navigation tabs, and Menus then click OK.
21. Page 21 of 25
42) You should now be back at your modified MMC console window as shown below.
43) Now we will modify the name of the console window to something more meaningful and lock
the console down a bit further so that users cannot modify it. Within the MMC window select
the File tab and then select Options.
22. Page 22 of 25
44) Name the console window to suit your needs but for the purpose of this tutorial and task
assignment I am going to call it the “Student Password Reset Tool”. To prevent the end user
from modifying the MMC you will need to change the “Console mode” to User mode – limited
access, single window then enable the checkbox next to Do not save changes to this console,
disable the checkbox next to Allow the user to customize views, then click Apply and OK.
45) Now we will save the locked down MMC console so that it can be copied and distributed to
those users who we will provide access to the password reset task. In the MMC console go to
the File tab and click Save As.
23. Page 23 of 25
46) Name the MMC something different from what the original console was named so that you
have a console that is designed for those particular end users and then you can have one
console to store away so that you can get back into it via Author mode so that you can modify
the MMC in the future if need be. Author mode will be discussed below.
47) If you are prompted with the window below click Yes.
24. Page 24 of 25
48) So now you should be back at the customized MMC window named the “Student Password
Reset Tool” and you will notice that the navigation menu is very minimal and provides no access
to customize the views or to add/remove any other snap-ins.
49) The information below is for future reference just in case you need to go back and edit the
original unlocked down MMC. Go to wherever you saved that MMC and right-click it then select
Author.
25. Page 25 of 25
50) You can then edit the current Taskpad View, add a new view, delete a view, or add/remove any
tasks from those views just by right-clicking on the users OU in which you created the view.