SlideShare a Scribd company logo

Delegating Active Directory Permission to Reset Passwords

T
Travis Kench

SCENARIO: Your librarians or other departmental staff want to be able to reset user account passwords for a particular organizational unit within your organization. You obviously don’t want to give them Domain Administrator rights nor do you want to give them access to other secured resources that they don’t need. The process documented in this tutorial will allow you to reduce help desk calls and allow other users to efficiently get work done in a timely manner.

Technology
1 of 25
Download to read offline
Page 1 of 25 Delegating Permission to Reset Passwords Created by. Travis Kench – travis@tkcomputersolutions.com – 1/3/2017 SCENARIO: Your librarians or other departmental staff want to be able to reset user account passwords for a particular organizational unit within your organization. You obviously don’t want to give them Domain Administrator rights nor do you want to give them access to other secured resources that they don’t need. SOLUTION: Create a custom Active Directory Users & Computers (ADUC) Microsoft Management Console (MMC) while utilizing the Delegation of Control Wizard in Active Directory to assign permissions to a particular group that only allows them to reset the password of an account. Using ADUC and the Delegation of Control Wizard you can manipulate this setup to assign a user/group numerous permissions to do certain tasks that will make their lives easier along with decreasing the number of help desk tickets you may have to handle. I will be using a Windows 10 client and a Windows Server 2012 R2 server for my demonstration. This tutorial also applies to the following client & server operating systems: Windows 7, 8, 8.1, 10, Server 2008, 2008 R2, 2012, and 2012 R2. Install Remote Server Administration Tools (RSAT) on the end users computer. 1) On the users local computer who will be utilizing this custom ADUC MMC snap-in you will need to install the RSAT executable that is specific for their particular version of Windows. a. Windows 7 RSAT b. Windows 8 RSAT c. Windows 8.1 RSAT d. Windows 10 RSAT 2) Once the RSAT tools are installed we will need to enable the features within the local computers Control Panel via the Programs and Features control panel. Windows 10 RSAT Setup a. Right-click the Start Menu Windows icon > Programs and Features > Turn Windows features on or off b. Uncheck the selection labeled Remote Server Administration Tools c. Expand Remote Server Administration Tools d. Expand Role Administration Tools e. Expand AD DS and AD LDS Tools f. Expand AD DS Tools g. Enable AD DS Snap-ins and Command-line Tools and click OK.
Page 2 of 25 Create a custom Global Security group in Active Directory. 3) On the server open Active Directory Users and Computers > Right-click on the Organization Unit (OU) where you want to store the group > select New > and then select Group. 4) Give the Global Security group a meaningful name so that it is easy to tell who should be in the group as well as what they may be allowed to do. Within our school district we have building level IT representatives that help with certain tasks so I will name our group “IT Building Reps”. Once you have configured the settings shown below click OK.
Page 3 of 25 5) Add your designated users to the Global Security group. Double-click the group’s name and then click Add. 6) Go to the Members tab and click Add. Once you have added in all of your members click Apply and then OK.
Page 4 of 25 Utilize the Delegation of Control Wizard to Assign Permissions 7) Right-click on the users OU that you want to enable users to reset passwords for and select Delegate Control… 8) On the Welcome to the Delegation of Control Wizard window, click Next.
Page 5 of 25 9) Delegation of Control Wizard: Users or Groups window, click Add. 10) Input the group name that you created in Step 4, click Check Names to verify you typed the group’s name correctly and then click OK.
Page 6 of 25 11) At the following screen click Next. 12) Delegation of Control Wizard: Tasks to Delegate window, enable the checkbox next to Reset user passwords and force password change at next logon and click Next.
Page 7 of 25 13) Completing the Delegation of Control Wizard window, click Finish. Verifying the permissions you created with the Delegation of Control Wizard 14) Within ADUC, click the View tab at the top of the screen and make sure the Advanced Features menu-item has a check mark next to it showing you that it is enabled. If it isn’t enabled just click on Advanced Features and it will then be enabled.
Page 8 of 25 15) Right-click on the user OU that you selected in Step 7 and select the Properties menu-item. 16) Select the Security tab, verify that the Global Security group that you created in Step 4 appears in the list. Highlight your Global Security group’s name and click Advanced.
Page 9 of 25 17) Verify that the permission to access the task for “Reset Password” has been granted to your custom Global Security group and that it applies to Descendant User objects, then click Edit. 18) You should now see a number of tasks that could potentially be delegated.
Page 10 of 25 19) Click OK three times to bring you back to the MMC window. Creating a custom MMC snap-in 20) Right-click the Start Menu Windows icon and select Run.
Page 11 of 25 21) At the Run dialog box type mmc and click OK. 22) Within the MMC window click on File then select Add/Remove Snap-in. 23) Highlight Active Directory Users and Computers, click Add, and then click OK.
Page 12 of 25 24) Right-click on the OU that you selected in Step 6 then select New Window from Here. 25) Now you will have a console window popup that only shows the end user only the users OU that you want them to see.
Page 13 of 25 Creating a Taskpad View IMPORTANT: If you only have one parent OU and no child user OUs then you will only need to go through steps 26-37 once. However if you have multiple child OUs under your parent users OU then you will need to do all the steps in 26-37 on each of those OUs. 26) Right-click on the user OU that you selected in Step 7 and select New Taskpad View. 27) New Taskpad View Wizard window - Click Next.
Page 14 of 25 28) New Taskpad View Wizard: Taskpad Style window - Click Next. 29) New Taskpad View Wizard: Taskpad Reuse window - Enable the setting for Selected tree item and then click Next.
Page 15 of 25 30) New Taskpad View Wizard: Name and Description window - A name is generally prepopulated based on the OUs name but you can change it to something more meaningful if you like. Once you have the name field filled click Next. 31) New Taskpad View Wizard: Completing the New Taskpad View Wizard window - Leave the check box enabled for Add new tasks to this taskpad after the wizard closes and then click Finish.
Page 16 of 25 Creating a New Task 32) New Task Wizard: Welcome to the New Task Wizard window - Click Next. 33) New Task Wizard: Command Type window - Select the button next to Menu command and then click Next.
Page 17 of 25 34) New Task Wizard: Menu Command window - In the “Command source” drop down box make sure that Item listed in the results pane is chosen, under the list of “Available commands” make sure to highlight Reset Password, then click Next. 35) New Task Wizard: Name and Description window - Click Next.
Page 18 of 25 36) New Task Wizard: Task Icon window - Choose a meaningful icon for the task you are assigning then click Next. Ex) I will assign the password reset task the icon of the computer with a key because that would identify it as a computer security related task. 37) New Task Wizard: Completing the New Task Wizard window - Click Finish.
Page 19 of 25 38) You should now be back at the custom MMC window. If you open the users OU and then click on a user you will see that whomever you provide access to use the MMC they will only have access to reset a user’s password, force the user to change their password, and unlock their account. 39) When you click the reset password task they will see the following popup.
Page 20 of 25 Modifying the custom MMC view so that the end user cannot edit it, add any other snap-ins, or view any other items that they don’t need to. 40) Within the MMC window, click the View tab, then click on Customize. 41) You will then see the following popup window. Deselect all the checkboxes, except Console tree, Taskpad navigation tabs, and Menus then click OK.
Page 21 of 25 42) You should now be back at your modified MMC console window as shown below. 43) Now we will modify the name of the console window to something more meaningful and lock the console down a bit further so that users cannot modify it. Within the MMC window select the File tab and then select Options.
Page 22 of 25 44) Name the console window to suit your needs but for the purpose of this tutorial and task assignment I am going to call it the “Student Password Reset Tool”. To prevent the end user from modifying the MMC you will need to change the “Console mode” to User mode – limited access, single window then enable the checkbox next to Do not save changes to this console, disable the checkbox next to Allow the user to customize views, then click Apply and OK. 45) Now we will save the locked down MMC console so that it can be copied and distributed to those users who we will provide access to the password reset task. In the MMC console go to the File tab and click Save As.
Page 23 of 25 46) Name the MMC something different from what the original console was named so that you have a console that is designed for those particular end users and then you can have one console to store away so that you can get back into it via Author mode so that you can modify the MMC in the future if need be. Author mode will be discussed below. 47) If you are prompted with the window below click Yes.
Page 24 of 25 48) So now you should be back at the customized MMC window named the “Student Password Reset Tool” and you will notice that the navigation menu is very minimal and provides no access to customize the views or to add/remove any other snap-ins. 49) The information below is for future reference just in case you need to go back and edit the original unlocked down MMC. Go to wherever you saved that MMC and right-click it then select Author.
Page 25 of 25 50) You can then edit the current Taskpad View, add a new view, delete a view, or add/remove any tasks from those views just by right-clicking on the users OU in which you created the view.

Recommended

My Leadership Journey Kalley Keenan
My Leadership Journey Kalley KeenanMy Leadership Journey Kalley Keenan
My Leadership Journey Kalley Keenan
leadershipclass10
 
People Management 101
People Management 101People Management 101
People Management 101
Jose Bautista
 
Leadership Journey Ppt Number One
Leadership Journey Ppt Number OneLeadership Journey Ppt Number One
Leadership Journey Ppt Number One
leadershipclass10
 
Leadership skills
Leadership skills Leadership skills
Leadership skills
HarshalPatil242
 
Management vs. Leadership - Linked 2 Leadership
Management vs. Leadership - Linked 2 LeadershipManagement vs. Leadership - Linked 2 Leadership
Management vs. Leadership - Linked 2 Leadership
Linked 2 Leadership
 
Leader Vs Managaer
Leader Vs ManagaerLeader Vs Managaer
Leader Vs Managaer
Abhishek Kori
 
Impactful Personal Leadership
Impactful Personal LeadershipImpactful Personal Leadership
Impactful Personal Leadership
Aalok Gupta
 
My personal leadership statement
My personal leadership statementMy personal leadership statement
My personal leadership statement
Dee Lofton
 

Recommended

My Leadership Journey Kalley Keenan
My Leadership Journey Kalley KeenanMy Leadership Journey Kalley Keenan
My Leadership Journey Kalley Keenan
leadershipclass10
 
People Management 101
People Management 101People Management 101
People Management 101
Jose Bautista
 
Leadership Journey Ppt Number One
Leadership Journey Ppt Number OneLeadership Journey Ppt Number One
Leadership Journey Ppt Number One
leadershipclass10
 
Leadership skills
Leadership skills Leadership skills
Leadership skills
HarshalPatil242
 
Management vs. Leadership - Linked 2 Leadership
Management vs. Leadership - Linked 2 LeadershipManagement vs. Leadership - Linked 2 Leadership
Management vs. Leadership - Linked 2 Leadership
Linked 2 Leadership
 
Leader Vs Managaer
Leader Vs ManagaerLeader Vs Managaer
Leader Vs Managaer
Abhishek Kori
 
Impactful Personal Leadership
Impactful Personal LeadershipImpactful Personal Leadership
Impactful Personal Leadership
Aalok Gupta
 
My personal leadership statement
My personal leadership statementMy personal leadership statement
My personal leadership statement
Dee Lofton
 
Managerial skills
Managerial skillsManagerial skills
Managerial skills
payelkoyena
 
Situational Leadership
Situational LeadershipSituational Leadership
Situational Leadership
Nelxflo
 
Coaching people
Coaching peopleCoaching people
Coaching people
Archish upadhyay
 
Managerial skills
Managerial skillsManagerial skills
Managerial skills
Md. Sazzadul Hossain
 
The 4 Key Traits of Leadership
The 4 Key Traits of LeadershipThe 4 Key Traits of Leadership
The 4 Key Traits of Leadership
REVA University
 
10 qualities of a good leader
10 qualities of a good leader10 qualities of a good leader
10 qualities of a good leader
Imani19
 
Troubleshooting common scenarios with Always On - A Dress Rehearsal
Troubleshooting common scenarios with Always On - A Dress RehearsalTroubleshooting common scenarios with Always On - A Dress Rehearsal
Troubleshooting common scenarios with Always On - A Dress Rehearsal
Amit Banerjee
 
From Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time ManagersFrom Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time Managers
BizLibrary
 
Essential Leadership Skills
Essential Leadership SkillsEssential Leadership Skills
Essential Leadership Skills
Haroon Abbu
 
Results Based Accountability - building a culture of high performance
Results Based Accountability - building a culture of high performanceResults Based Accountability - building a culture of high performance
Results Based Accountability - building a culture of high performance
Sport and Recreation Alliance
 
Management & Leadership
Management & LeadershipManagement & Leadership
Management & Leadership
S A Tabish
 
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF PramericaCompetency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
National HRD Network
 
DISC Assessment Facilitation Guide - Leadership
DISC Assessment Facilitation Guide - LeadershipDISC Assessment Facilitation Guide - Leadership
DISC Assessment Facilitation Guide - Leadership
Hellen Davis
 
AlwaysON Basics
AlwaysON BasicsAlwaysON Basics
AlwaysON Basics
Harsh Chawla
 
Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)
Austin Nway Aye Maung
 
Managerial Skills Workshop: Leadership Plans
Managerial Skills Workshop: Leadership PlansManagerial Skills Workshop: Leadership Plans
Managerial Skills Workshop: Leadership Plans
Language Explore
 
Planning
PlanningPlanning
Planning
Dr.Salil Choudhary
 
Lo que siempre has querido saber para exprimir sql server
Lo que siempre has querido saber para exprimir sql serverLo que siempre has querido saber para exprimir sql server
Lo que siempre has querido saber para exprimir sql server
Enrique Catala Bañuls
 
Effective Supervision and Staff Leadership
Effective Supervision and Staff LeadershipEffective Supervision and Staff Leadership
Effective Supervision and Staff Leadership
Boom San Agustin, CSP, CC, CL
 
Leadership Slideshow
Leadership SlideshowLeadership Slideshow
Leadership Slideshow
Gary ✯ Lehman
 
Create a custom mmc
Create a custom mmcCreate a custom mmc
Create a custom mmc
Raghu nath
 
Lab 14
Lab 14Lab 14
Lab 14
Tracy Berry
 

More Related Content

What's hot

Situational Leadership
Situational LeadershipSituational Leadership
Situational Leadership
Nelxflo
 
10 qualities of a good leader
10 qualities of a good leader10 qualities of a good leader
10 qualities of a good leader
Imani19
 
From Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time ManagersFrom Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time Managers
BizLibrary
 
Effective Supervision and Staff Leadership
Effective Supervision and Staff LeadershipEffective Supervision and Staff Leadership
Effective Supervision and Staff Leadership
Boom San Agustin, CSP, CC, CL
 

What's hot (20)

Managerial skills
Managerial skillsManagerial skills
Managerial skills
 
Situational Leadership
Situational LeadershipSituational Leadership
Situational Leadership
 
Coaching people
Coaching peopleCoaching people
Coaching people
 
Managerial skills
Managerial skillsManagerial skills
Managerial skills
 
The 4 Key Traits of Leadership
The 4 Key Traits of LeadershipThe 4 Key Traits of Leadership
The 4 Key Traits of Leadership
 
10 qualities of a good leader
10 qualities of a good leader10 qualities of a good leader
10 qualities of a good leader
 
Troubleshooting common scenarios with Always On - A Dress Rehearsal
Troubleshooting common scenarios with Always On - A Dress RehearsalTroubleshooting common scenarios with Always On - A Dress Rehearsal
Troubleshooting common scenarios with Always On - A Dress Rehearsal
 
From Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time ManagersFrom Peer to Leader: How to Develop Your First-Time Managers
From Peer to Leader: How to Develop Your First-Time Managers
 
Essential Leadership Skills
Essential Leadership SkillsEssential Leadership Skills
Essential Leadership Skills
 
Results Based Accountability - building a culture of high performance
Results Based Accountability - building a culture of high performanceResults Based Accountability - building a culture of high performance
Results Based Accountability - building a culture of high performance
 
Management & Leadership
Management & LeadershipManagement & Leadership
Management & Leadership
 
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF PramericaCompetency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
Competency based Selection by Anuraag Maini, Sr. VP(HR), DLF Pramerica
 
DISC Assessment Facilitation Guide - Leadership
DISC Assessment Facilitation Guide - LeadershipDISC Assessment Facilitation Guide - Leadership
DISC Assessment Facilitation Guide - Leadership
 
AlwaysON Basics
AlwaysON BasicsAlwaysON Basics
AlwaysON Basics
 
Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)Leadership skills (The New Manager's Coaching Guide)
Leadership skills (The New Manager's Coaching Guide)
 
Managerial Skills Workshop: Leadership Plans
Managerial Skills Workshop: Leadership PlansManagerial Skills Workshop: Leadership Plans
Managerial Skills Workshop: Leadership Plans
 
Planning
PlanningPlanning
Planning
 
Lo que siempre has querido saber para exprimir sql server
Lo que siempre has querido saber para exprimir sql serverLo que siempre has querido saber para exprimir sql server
Lo que siempre has querido saber para exprimir sql server
 
Effective Supervision and Staff Leadership
Effective Supervision and Staff LeadershipEffective Supervision and Staff Leadership
Effective Supervision and Staff Leadership
 
Leadership Slideshow
Leadership SlideshowLeadership Slideshow
Leadership Slideshow
 

Similar to Delegating Active Directory Permission to Reset Passwords

Create a custom mmc
Create a custom mmcCreate a custom mmc
Create a custom mmc
Raghu nath
 
Ca1 report
Ca1 reportCa1 report
Ca1 report
aeehhhly
 
Nt1310 Unit 5 Administrative Tools
Nt1310 Unit 5 Administrative ToolsNt1310 Unit 5 Administrative Tools
Nt1310 Unit 5 Administrative Tools
Jenny Smith
 
Ankit Phadia Hacking tools (1)
Ankit Phadia Hacking tools (1)Ankit Phadia Hacking tools (1)
Ankit Phadia Hacking tools (1)
Chandra Pr. Singh
 
Lession 2 starting with mssqlserver
Lession 2 starting with mssqlserverLession 2 starting with mssqlserver
Lession 2 starting with mssqlserver
Đỗ Đức Hùng
 
Group06ctsfinal 110518191859-phpapp01
Group06ctsfinal 110518191859-phpapp01Group06ctsfinal 110518191859-phpapp01
Group06ctsfinal 110518191859-phpapp01
nanda nanda
 

Similar to Delegating Active Directory Permission to Reset Passwords (20)

Create a custom mmc
Create a custom mmcCreate a custom mmc
Create a custom mmc
 
Lab 14
Lab 14Lab 14
Lab 14
 
Ca1 report
Ca1 reportCa1 report
Ca1 report
 
Nt1310 Unit 5 Administrative Tools
Nt1310 Unit 5 Administrative ToolsNt1310 Unit 5 Administrative Tools
Nt1310 Unit 5 Administrative Tools
 
Ankit Phadia Hacking tools (1)
Ankit Phadia Hacking tools (1)Ankit Phadia Hacking tools (1)
Ankit Phadia Hacking tools (1)
 
Lession 2 starting with mssqlserver
Lession 2 starting with mssqlserverLession 2 starting with mssqlserver
Lession 2 starting with mssqlserver
 
Group06ctsfinal 110518191859-phpapp01
Group06ctsfinal 110518191859-phpapp01Group06ctsfinal 110518191859-phpapp01
Group06ctsfinal 110518191859-phpapp01
 
SCCM2012-UserGuide
SCCM2012-UserGuideSCCM2012-UserGuide
SCCM2012-UserGuide
 
Microsoft Windows Intune getting started guide dec 2012 release
Microsoft Windows Intune getting started guide dec 2012 releaseMicrosoft Windows Intune getting started guide dec 2012 release
Microsoft Windows Intune getting started guide dec 2012 release
 
Microsoft MCSA- Joining Client Machines To The Domain!
Microsoft MCSA- Joining Client Machines To The Domain!Microsoft MCSA- Joining Client Machines To The Domain!
Microsoft MCSA- Joining Client Machines To The Domain!
 
Employee Community
Employee CommunityEmployee Community
Employee Community
 
How to use the amazing CCK 2 tool to lock down Firefox
How to use the amazing CCK 2 tool to lock down Firefox How to use the amazing CCK 2 tool to lock down Firefox
How to use the amazing CCK 2 tool to lock down Firefox
 
Could not-reconnect-all-network-drives
Could not-reconnect-all-network-drivesCould not-reconnect-all-network-drives
Could not-reconnect-all-network-drives
 
Ankit Phadia Hacking tools
Ankit Phadia Hacking toolsAnkit Phadia Hacking tools
Ankit Phadia Hacking tools
 
Windows Communication Foundation (WCF) programming using Visual Studio
Windows Communication Foundation (WCF) programming using Visual StudioWindows Communication Foundation (WCF) programming using Visual Studio
Windows Communication Foundation (WCF) programming using Visual Studio
 
Installing Process Oracle 10g Database Software on Windows 10
Installing Process Oracle 10g Database Software on Windows 10Installing Process Oracle 10g Database Software on Windows 10
Installing Process Oracle 10g Database Software on Windows 10
 
Change transport system in SAP
Change transport system in SAP Change transport system in SAP
Change transport system in SAP
 
Creating a dot netnuke
Creating a dot netnukeCreating a dot netnuke
Creating a dot netnuke
 
DMM161_2015_Exercises
DMM161_2015_ExercisesDMM161_2015_Exercises
DMM161_2015_Exercises
 
configuration ,management and troubleshooting of Group Accounts.
configuration ,management and troubleshooting of Group Accounts.configuration ,management and troubleshooting of Group Accounts.
configuration ,management and troubleshooting of Group Accounts.
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Delegating Active Directory Permission to Reset Passwords

  • 1. Page 1 of 25 Delegating Permission to Reset Passwords Created by. Travis Kench – travis@tkcomputersolutions.com – 1/3/2017 SCENARIO: Your librarians or other departmental staff want to be able to reset user account passwords for a particular organizational unit within your organization. You obviously don’t want to give them Domain Administrator rights nor do you want to give them access to other secured resources that they don’t need. SOLUTION: Create a custom Active Directory Users & Computers (ADUC) Microsoft Management Console (MMC) while utilizing the Delegation of Control Wizard in Active Directory to assign permissions to a particular group that only allows them to reset the password of an account. Using ADUC and the Delegation of Control Wizard you can manipulate this setup to assign a user/group numerous permissions to do certain tasks that will make their lives easier along with decreasing the number of help desk tickets you may have to handle. I will be using a Windows 10 client and a Windows Server 2012 R2 server for my demonstration. This tutorial also applies to the following client & server operating systems: Windows 7, 8, 8.1, 10, Server 2008, 2008 R2, 2012, and 2012 R2. Install Remote Server Administration Tools (RSAT) on the end users computer. 1) On the users local computer who will be utilizing this custom ADUC MMC snap-in you will need to install the RSAT executable that is specific for their particular version of Windows. a. Windows 7 RSAT b. Windows 8 RSAT c. Windows 8.1 RSAT d. Windows 10 RSAT 2) Once the RSAT tools are installed we will need to enable the features within the local computers Control Panel via the Programs and Features control panel. Windows 10 RSAT Setup a. Right-click the Start Menu Windows icon > Programs and Features > Turn Windows features on or off b. Uncheck the selection labeled Remote Server Administration Tools c. Expand Remote Server Administration Tools d. Expand Role Administration Tools e. Expand AD DS and AD LDS Tools f. Expand AD DS Tools g. Enable AD DS Snap-ins and Command-line Tools and click OK.
  • 2. Page 2 of 25 Create a custom Global Security group in Active Directory. 3) On the server open Active Directory Users and Computers > Right-click on the Organization Unit (OU) where you want to store the group > select New > and then select Group. 4) Give the Global Security group a meaningful name so that it is easy to tell who should be in the group as well as what they may be allowed to do. Within our school district we have building level IT representatives that help with certain tasks so I will name our group “IT Building Reps”. Once you have configured the settings shown below click OK.
  • 3. Page 3 of 25 5) Add your designated users to the Global Security group. Double-click the group’s name and then click Add. 6) Go to the Members tab and click Add. Once you have added in all of your members click Apply and then OK.
  • 4. Page 4 of 25 Utilize the Delegation of Control Wizard to Assign Permissions 7) Right-click on the users OU that you want to enable users to reset passwords for and select Delegate Control… 8) On the Welcome to the Delegation of Control Wizard window, click Next.
  • 5. Page 5 of 25 9) Delegation of Control Wizard: Users or Groups window, click Add. 10) Input the group name that you created in Step 4, click Check Names to verify you typed the group’s name correctly and then click OK.
  • 6. Page 6 of 25 11) At the following screen click Next. 12) Delegation of Control Wizard: Tasks to Delegate window, enable the checkbox next to Reset user passwords and force password change at next logon and click Next.
  • 7. Page 7 of 25 13) Completing the Delegation of Control Wizard window, click Finish. Verifying the permissions you created with the Delegation of Control Wizard 14) Within ADUC, click the View tab at the top of the screen and make sure the Advanced Features menu-item has a check mark next to it showing you that it is enabled. If it isn’t enabled just click on Advanced Features and it will then be enabled.
  • 8. Page 8 of 25 15) Right-click on the user OU that you selected in Step 7 and select the Properties menu-item. 16) Select the Security tab, verify that the Global Security group that you created in Step 4 appears in the list. Highlight your Global Security group’s name and click Advanced.
  • 9. Page 9 of 25 17) Verify that the permission to access the task for “Reset Password” has been granted to your custom Global Security group and that it applies to Descendant User objects, then click Edit. 18) You should now see a number of tasks that could potentially be delegated.
  • 10. Page 10 of 25 19) Click OK three times to bring you back to the MMC window. Creating a custom MMC snap-in 20) Right-click the Start Menu Windows icon and select Run.
  • 11. Page 11 of 25 21) At the Run dialog box type mmc and click OK. 22) Within the MMC window click on File then select Add/Remove Snap-in. 23) Highlight Active Directory Users and Computers, click Add, and then click OK.
  • 12. Page 12 of 25 24) Right-click on the OU that you selected in Step 6 then select New Window from Here. 25) Now you will have a console window popup that only shows the end user only the users OU that you want them to see.
  • 13. Page 13 of 25 Creating a Taskpad View IMPORTANT: If you only have one parent OU and no child user OUs then you will only need to go through steps 26-37 once. However if you have multiple child OUs under your parent users OU then you will need to do all the steps in 26-37 on each of those OUs. 26) Right-click on the user OU that you selected in Step 7 and select New Taskpad View. 27) New Taskpad View Wizard window - Click Next.
  • 14. Page 14 of 25 28) New Taskpad View Wizard: Taskpad Style window - Click Next. 29) New Taskpad View Wizard: Taskpad Reuse window - Enable the setting for Selected tree item and then click Next.
  • 15. Page 15 of 25 30) New Taskpad View Wizard: Name and Description window - A name is generally prepopulated based on the OUs name but you can change it to something more meaningful if you like. Once you have the name field filled click Next. 31) New Taskpad View Wizard: Completing the New Taskpad View Wizard window - Leave the check box enabled for Add new tasks to this taskpad after the wizard closes and then click Finish.
  • 16. Page 16 of 25 Creating a New Task 32) New Task Wizard: Welcome to the New Task Wizard window - Click Next. 33) New Task Wizard: Command Type window - Select the button next to Menu command and then click Next.
  • 17. Page 17 of 25 34) New Task Wizard: Menu Command window - In the “Command source” drop down box make sure that Item listed in the results pane is chosen, under the list of “Available commands” make sure to highlight Reset Password, then click Next. 35) New Task Wizard: Name and Description window - Click Next.
  • 18. Page 18 of 25 36) New Task Wizard: Task Icon window - Choose a meaningful icon for the task you are assigning then click Next. Ex) I will assign the password reset task the icon of the computer with a key because that would identify it as a computer security related task. 37) New Task Wizard: Completing the New Task Wizard window - Click Finish.
  • 19. Page 19 of 25 38) You should now be back at the custom MMC window. If you open the users OU and then click on a user you will see that whomever you provide access to use the MMC they will only have access to reset a user’s password, force the user to change their password, and unlock their account. 39) When you click the reset password task they will see the following popup.
  • 20. Page 20 of 25 Modifying the custom MMC view so that the end user cannot edit it, add any other snap-ins, or view any other items that they don’t need to. 40) Within the MMC window, click the View tab, then click on Customize. 41) You will then see the following popup window. Deselect all the checkboxes, except Console tree, Taskpad navigation tabs, and Menus then click OK.
  • 21. Page 21 of 25 42) You should now be back at your modified MMC console window as shown below. 43) Now we will modify the name of the console window to something more meaningful and lock the console down a bit further so that users cannot modify it. Within the MMC window select the File tab and then select Options.
  • 22. Page 22 of 25 44) Name the console window to suit your needs but for the purpose of this tutorial and task assignment I am going to call it the “Student Password Reset Tool”. To prevent the end user from modifying the MMC you will need to change the “Console mode” to User mode – limited access, single window then enable the checkbox next to Do not save changes to this console, disable the checkbox next to Allow the user to customize views, then click Apply and OK. 45) Now we will save the locked down MMC console so that it can be copied and distributed to those users who we will provide access to the password reset task. In the MMC console go to the File tab and click Save As.
  • 23. Page 23 of 25 46) Name the MMC something different from what the original console was named so that you have a console that is designed for those particular end users and then you can have one console to store away so that you can get back into it via Author mode so that you can modify the MMC in the future if need be. Author mode will be discussed below. 47) If you are prompted with the window below click Yes.
  • 24. Page 24 of 25 48) So now you should be back at the customized MMC window named the “Student Password Reset Tool” and you will notice that the navigation menu is very minimal and provides no access to customize the views or to add/remove any other snap-ins. 49) The information below is for future reference just in case you need to go back and edit the original unlocked down MMC. Go to wherever you saved that MMC and right-click it then select Author.
  • 25. Page 25 of 25 50) You can then edit the current Taskpad View, add a new view, delete a view, or add/remove any tasks from those views just by right-clicking on the users OU in which you created the view.