This KB covers the basic settings needed for the domain account you will configure for your AD Password Reset policy, if you have not configured this policy please see here. We suggest using a service account that only has permissions to change passwords for your active directory users.
1. Create a Standard Domain user in Active Directory Users and Computers. In our example we will be using [email protected]
2. Right Click the Domain or OU you want the delegate to manage, please note the permissions may be affected by inheritance.
In this example ,we will be configuring the permissions on the domain itself, allowing it access to manage any users under Telford.local
3. Select Delegate Control, click next on the delegation of control wizard. Add the newly created Domain User & click next.
4. Select the Create custom task to delegate radio button & then click next.
5. Select “Only the following objects in the folder” scroll to the bottom of the dialog box and select User objects then click next.
6. Leave "general" ticked and select "property specific" then select the following objects from the list:
Change Password
Reset Password
Read lockoutTime
Write lockoutTime
Read pwdLastSet
Write pwdLastSet
Read userAccountControl
Write userAccountControl
Click next & Finish – The Required delegate access is now complete and this account can now be used within your Senso policy.