I have made a service that has the capability to reset, changes passwords, unlock a locked out account, and read AD profile values (e.g. sn, firstname etc) of some domain user after the user verifies himself through phone. On the target domain server, there exists a privileged account who is capable of doing these tasks. I use .NET framework Directory Services API and use the privileged account to perform tasks. So far, my privileged account was basically a domain admin and was capable of doing way more then required. Now, as the part of trial runs, I need to know the exact policies I need to have in order to do these tasks only:
- Reset a user password
- Reset a user password and mark the password as expired
- Change a user password (user will provide current password)
- Unlock a locked account
- Read a user's AD profile property
Can someone list the required privileges I can configure a special account and make it a part of deployment documentation.