Re: Unable to delegate "Reset user passwords and force password change at next logon"

Hello Trust,

See here abouyt the minimum needed permisisons:

Also make sure they are NOT members of account operators group, where the AdminSDHolder will reset the permissions hourly.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!

Hi all,

Hope someone can help me out - I'm scratching my head about this one.

I'm doing my MCITP studies and I'm having problems with delegation.

I have a Windows 2008 Server R2 based Active Directory domain :). I've created a PEOPLE OU that has 5 user acccounts,
and a security group HELPDESK that has some of these accounts as

I've selected the PEOPLE OU, run the delegation of control wizard and
delegated the "Reset user passwords and force password change at next
logon" task to the HELPDESK group.

Simple enough. I've checked the permissions on the PEOPLE OU and the
delegation wizard has added the following:

Allow CONTOSO\HELPDESK Reset Password

The problem is that the delegation does not work. I've tested this by
logging on with a user account in the HELPDESK group and attempting to
reset the password of one fo the user accounts in the PEOPLE OU.

The reset password dialog box shows the "User must change password at
next logon" check box grayed out. Attempting to reset the password
results in an error message "Windows cannot complete the password
change... Access is denied"

I just can't get it to work. The user accounts in the PEOPLE OU are
standard users. Any ideas on this one?