Active Directory management with low user rights

Our problem:

The client, a normal user, has to be able to reset multiple passwords at once. Around 30 in one go. This would call for powershell or something along these lines, but for AD and Powershell one needs to be domain administrator.

My solution would be to make a service that runs on the AD server and take connections from a program. The service would then do the AD changes.

So far so good, I would just like to hear some other thoughts on this problem. Because I sure can't be the only one with it


Why not use delegation?

Put the users together in an OU, create a group that will be able to manage them (or don't, your pick). After that, right click the OU, choose 'Delegate Control'

After that, follow the wizard to allow a certain group/users to make changes to the objects (or a subset of objects) in the OU.

When your delegation is set, you can reset all the passwords via Powershell. If you want to do it easily, I recommend using the Quest-cmdlets.

 get-QADUser -SearchRoot 'company.com/SpecialUsersOU' | set-QADUser -userPassword "MyCompanyIsAwesomeAndThisIsAHardPassword!" -whatIf