2

I have made a service that has the capability to reset, changes passwords, unlock a locked out account, and read AD profile values (e.g. sn, firstname etc) of some domain user after the user verifies himself through phone. On the target domain server, there exists a privileged account who is capable of doing these tasks. I use .NET framework Directory Services API and use the privileged account to perform tasks. So far, my privileged account was basically a domain admin and was capable of doing way more then required. Now, as the part of trial runs, I need to know the exact policies I need to have in order to do these tasks only:

  • Reset a user password
  • Reset a user password and mark the password as expired
  • Change a user password (user will provide current password)
  • Unlock a locked account
  • Read a user's AD profile property

Can someone list the required privileges I can configure a special account and make it a part of deployment documentation.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
Hassan Gulzar
  • 171
  • 1
  • 2
  • 5
  • 3
    Watch out for that user189950 guy. Not only are his posts long, rambling and not worth the effort, there is a much simpler way of doing this without having to resort to trickery. – longneck Jan 28 '13 at 17:32
  • Os your customized service designed for a particular version of Active Directory Services such as ADv1 (sometimes baroquely referred to as ADv5 since it arrived with Windows 2000/NT5) or do you plan to make it ubiquitous for all versions of Windows Active Directory ? It is important since some of rights/priv's have expanded since 2003 and 2008 Server. Does this .nET application need to reset Admins Domain, Ent or other defined Admins ? You can model your next version after the Account Operators account which can do all you need except for Domain Administrators. –  Jan 28 '13 at 07:25
  • Okay. I was worried I might have some compatibility issues here. I'm supposed to make a very very generic software capable of doing the said tasks on any LDAP supporting directory service. There will be no application running on the Domain server itself. The .NET API allows me to connect to the Domain's ActiveDirectory using LDAP URL. Although it exposes simple methods, I presume internally, it's submitting special LDAP standard commands for the tasks I want to achieve. – Hassan Gulzar Jan 28 '13 at 07:29
  • I'm with you regarding the additional comment details, but I'm asking does your .nET application need to perform these operations on privileged Admins, either Domain Admins, local System Admins, Ent or newly defined Admins ? –  Jan 28 '13 at 07:37
  • As of right now, it should be able to reset the password on every `user`. The `user` could be a Domain Users, Domain Admins, or Admins. Any user who forgot hid domain password calls a cloud-based application and get authenticated using a number of ways. once authenticated, the cloud based system triggers the LDAP call to the target Directory and requests a password reset for that user using the special account. Okay maybe the super administrator may not have the option to forget his password. Also, the users that can use this service must be a member of a group, say PasswordResetServiceGroup – Hassan Gulzar Jan 28 '13 at 07:41
  • Got it, I'm right now expanding and firing up a 2003Server VHD because I know it has the utility you need to list an accounts privs and use it to model and test your new app. I'm not attempting to impugn or imply your app is obsolete or too simple that it requires an old server utility from 2003. I'm advising you're applet will be in good stead despite the radical changes Microsoft has made to their server gui's, little has changed of the underpinnings and I remember where my utility is but not the name for the moment, check back here in about 15 minutes or if I remem I'll update immediately –  Jan 28 '13 at 07:46
  • Thanks. The original plan to figure out the list of priviliges was a bit tiring that I start off with a guest level account and use process explorer on the domain server to see what failed and grant that one, note it down, and try again until I get every possible grant I need. – Hassan Gulzar Jan 28 '13 at 08:25
  • Actually, you were close with ProcExp since it is real time, but you really needed ADInsight, and you're gonna be a lot better off running this applet as a domain admin. I hate telling people "something can't be done" or "impossible" especially when talking about the worlds buggiest and widest operating system, but doing this without intrinsic privileges is harder than its worth and requires loosening so many other aspects you can create new security holes. I just jolted an official answer, if you want to discuss how to circumvent, let me know but is another discussion that pisses off Stack –  Jan 28 '13 at 08:59

1 Answers1

6

The feature you are looking for is Active Directory Rights Delegation. It lets you assign a user or group rights to do things like reset password, edit specific Active Directory attributes, etc.

Setting it up is as simple as right-clicking on an OU in Active Directory Users and Computers and picking "Delegate Control...". You could probably figure it out without reading Microsoft's documentation, but I recommend you read it anyway.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • 1
    +1 This is the right answer. I almost posted it myself, because your answer was sandwiched between a bunch of rambling nonsense. – MDMarra Jan 28 '13 at 17:54