4

Our problem:

The client, a normal user, has to be able to reset multiple passwords at once. Around 30 in one go. This would call for powershell or something along these lines, but for AD and Powershell one needs to be domain administrator.

My solution would be to make a service that runs on the AD server and take connections from a program. The service would then do the AD changes.

So far so good, I would just like to hear some other thoughts on this problem. Because I sure can't be the only one with it

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
DemonWareXT
  • 145
  • 7
  • 2
    `"This would call for powershell or something along these lines, but for AD and Powershell one needs to be domain administrator."` - that's just wrong. – MDMarra Jun 29 '12 at 11:50

1 Answers1

8

Why not use delegation?

Put the users together in an OU, create a group that will be able to manage them (or don't, your pick). After that, right click the OU, choose 'Delegate Control'

After that, follow the wizard to allow a certain group/users to make changes to the objects (or a subset of objects) in the OU.

When your delegation is set, you can reset all the passwords via Powershell. If you want to do it easily, I recommend using the Quest-cmdlets.

 get-QADUser -SearchRoot 'company.com/SpecialUsersOU' | set-QADUser -userPassword "MyCompanyIsAwesomeAndThisIsAHardPassword!" -whatIf
Bart De Vos
  • 17,761
  • 6
  • 62
  • 81