Resetting passwords

[Darren Jones]

When granting the "reset password" permission I notice
that admin can reset the password but can't check
the "User must change password at next logon" box, which
is really the whole point. We want junior level admin to
reset the user passwords and force the users to change
them at next logon. I tried adding the "change password"
permission but got the same results.

Which permissions am I missing?

 

[Matjaz Ladava [MVP]]

You have to alow junior admin to be able to set pwdLastSet attribute on user
object. Delegate him the right to modify this attribute.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Darren Jones]

I don't see this listed as a permission in AD Users and
Computers. From where do I assign this permission?

 

[Darren Jones]

It turns out I also had to grant the admin the read/write
account restrictions rights. Only then could they force a
password change. Prior to that I tried using adsiedit to
grant rights to the pwdlastset property but that didn't
work either.

 

[Joe Richards [MVP]]

Possibly it didn't work due to the tool that was being used. That property set you granted also allows the admin to
disable/enable the account. Set the accounts expiration, and also set TS Settings.

The control access right Reset Password and pwdLastSet are definitely the only two needed if you write a basic script to
change the password which does the setpassword and also sets pwdLastSet to 0.