Active Directory management with low user rights

active-directory powershell windows-server-2008-r2 autoit

Our problem:

The client, a normal user, has to be able to reset multiple passwords at once. Around 30 in one go. This would call for powershell or something along these lines, but for AD and Powershell one needs to be domain administrator.

My solution would be to make a service that runs on the AD server and take connections from a program. The service would then do the AD changes.

So far so good, I would just like to hear some other thoughts on this problem. Because I sure can't be the only one with it


Why not use delegation?

Put the users together in an OU, create a group that will be able to manage them (or don't, your pick). After that, right click the OU, choose 'Delegate Control'

After that, follow the wizard to allow a certain group/users to make changes to the objects (or a subset of objects) in the OU.

When your delegation is set, you can reset all the passwords via Powershell. If you want to do it easily, I recommend using the Quest-cmdlets.

 get-QADUser -SearchRoot 'company.com/SpecialUsersOU' | set-QADUser -userPassword "MyCompanyIsAwesomeAndThisIsAHardPassword!" -whatIf

Related

CNAME versus an additional A&AAAA record
Create a rule using shell in fresh pfSense installation to open up WAN access to WebConfigurator
How to change the URL on my Amazon EC2 webserver
File corruption when copying different file on raid 1
Nginx (openresty) generating random numbers
robot hammering apache2
Shared folder mounted on OSX: NFS, WebDAV or AFP?
Nginx proxy timeout while uploading big files
How to make BIND behave differently depending on query source?
Dell 2950 - Can I mix SSD with spindle HDDs?
HOWTO: Clone active directory to apacheDS
What's the best way to store thousands of images in a windows folder structure?