5

We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable.

I am looking to change this as soon as possible but am fairly new to AD permissions. The main use of the service account is for LDAP queries so I have assigned the account Domain User membership. The trouble is that it also requires the ability to reset a password on behalf of a user. I was looking in to Delegate Control but can only see a "Reset User Passwords and Force Change at next Logon". What is needed is for the reset to occur but the force change not to be set. I tried to specify a role manually but am somewhat out of my depth with the sheer number of different permissions.

Has anyone got any guidance on what permissions are required to delegate control of password resets to another user?

1 Answers1

3

The minimum granular permissions that you need to delegate this task is:

Reset Password    
Read pwdLastSet    
Write pwdLastSet

You should create a new security group, delegate these permissions to it using the Delegation Wizard, and then add the service account to the new group.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 1
    Thanks for this. May be another question but if so just say and I will ask on the main boards: why is the best practice to create security groups and assign accounts to the group rather than just assigning the delegation to the account itself? Have read this before but can only see people stating that it is best practice. –  Oct 04 '11 at 14:33
  • 2
    @TimAlexander The short answer is that it's more sustainable and more easily audited. If you ever needed any other account ever to have this permission, you can just add them to the group instead of delegating all over. If you no longer need that service account to reset passwords, you just remove it from the group instead of deleting all of the permissions. The long answer would need to be asked on the site. – MDMarra Oct 04 '11 at 14:40
  • thanks again. I can see the benefits long term. Have to stop looking at things in AD as a short term fix! Thanks again for all your help –  Oct 04 '11 at 14:47