We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable.
I am looking to change this as soon as possible but am fairly new to AD permissions. The main use of the service account is for LDAP queries so I have assigned the account Domain User membership. The trouble is that it also requires the ability to reset a password on behalf of a user. I was looking in to Delegate Control but can only see a "Reset User Passwords and Force Change at next Logon". What is needed is for the reset to occur but the force change not to be set. I tried to specify a role manually but am somewhat out of my depth with the sheer number of different permissions.
Has anyone got any guidance on what permissions are required to delegate control of password resets to another user?