Users want be able to reset other users passwords (Active Directory) [closed]

currently i face some very angry users of my Active Directory that want to be able to reset other users passwords instead of writing tickets. I told them that this is not how it works but now I just want to give them what they demand - is there some web app where i can let them reset passwords limited to a group of users? It should be dead simple, because it will be used by complete morons.

Of course they should not be granted domain admin rights. Just being able to reset passwords. OF COURSE it's that type of users that even don't know what an Active Directory is and that fail to use the ticket system ("its so complicated!")


The only solution available out of the box is to install AD Users and Computers management console on their computers, and teach them to use it. You can assign password reset permissions on specific user objects to them via console. They don't need Domain Admin rights to do that.

It goes without saying that doing this is not a good idea from administrative and security point of views. You should escalate this to your manager and make sure he/she understands all consequences and takes responsibility on this decision.


The answer is simpler. You delegate control to reset passwords using the delegation of control wizard in ADUC on these single user accounts that you want to allow your users to change the password of.

Your users simply open the command line and write

net user someuser /domain newpass