This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all
- Open Active Directory Users and Computers.
- Right-click on the user or group you want to delegate, and click Delegate Control…
- Click Next on the Welcome Wizard.
- Click Add… and enter the user name or group name that will be granted reset permission. (E.g. ExampleDomain\Helpdesk)
- Click OK once you’ve made your selection, followed by Next.
- Ensure that Delegate the following common tasks is enabled, and select Reset user passwords and force password change at next logon.
- Click Next, and Finish.
- Right-click on the newly modified user or group, and select Properties.
- Select the Security tab, and click Advanced.
- Click Add.
- Click Select a principal and enter the user name or group name that has been granted reset permission.
- Click OK.
- In the Applies to field, select Descendant User object.
- Scroll down and enable, Read lockoutTime, and Write lockoutTime.
- Click OK three times.