Delegated password reset permission for your helpdesk

This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all



  1. Open Active Directory Users and Computers.
  2. Right-click on the user or group you want to delegate, and click Delegate Control…
  3. Click Next on the Welcome Wizard.
  4. Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
  5. Click OK once you’ve made your selection, followed by Next.
  6. Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
  7. Click Next, and Finish.
  8. Right-click on the newly modified user or group, and select Properties.
  9. Select the Security tab, and click Advanced.
  10. Click Add.
  11. Click Select a principal and enter the user name or group name that has been granted reset permission.
  12. Click OK.
  13. In the Applies to field, select Descendant User object.
  14. Scroll down and enable, Read lockoutTime, and Write lockoutTime.
  15. Click OK three times.