Windows Password Reset – service account rights delegation in AD

The service account used for Windows Password Reset is the one that is set in the User Storage in PSID Admin GUI. The account must have sufficient rights to be able to change the password for the users during the Password Reset process.

Delegate control

  1. Right-click on the Organizational Unit (OU) in the Active Directory used for User Storage.

  2. Start a Delegation of Control wizard.

  3. Select the account (set in PSID Admin under User Storages) to add delegation rights.

  4. At the Tasks to Delegate window, choose Create a custom task to delegate.

    windows password reset delegation1

  1. Click Only the following objects in the folder and add User objects.

    windows password reset delegation2

  1. Enable Property-Specific and choose Change Password and Reset Password:

    windows password reset delegation3

  1. Scroll down and also add Read lockout Time and Write Lockout Time.

    windows password reset delegation4

  1. The last checkbox to add is the Write pwdLastSet.

    windows password reset delegation5

  1. The delegation rights needed are now added. Continue and finish the Delegation Wizard.