Staff resetting passwords

I am looking at a way to give staff access to reset pupil passwords but not to give them any admin access. We use a 2008 r2 windows domain. Can anyone recomend a good way of implementing that?

Create a custom MMC and use the delegate control wizard on the appropriate OU containing the pupil accounts.

How would the staff then see how to reset the passwords? Remote Server Administration Tools?

That would be the custom MMC part.

You can focus the MMC on a particular part of AD, and as long as you have delegated control they can use that to reset passwords.

Code:

---

@echo offsetlocal


:start
cls
echo,
echo,
set /p _username_=Please enter the username :


if "%_username_%" == "q" goto end


for /f "tokens=1* delims=*" %%i in ('dsquery user -limit 1 -samid "%_username_%"') do (
echo %%i
set _upn_=%%i
if NOT "%%i" == "" goto chpwd
)


goto start




:chpwd
dsmod user %_upn_% -pwdneverexpires no
dsmod user %_upn_% -pwd 123456 -mustchpwd yes


:end

---

I'm lazy and use this script to reset passwords.

So when delegating control, can you minimise what the user sees in AD? I dont really want them to see everything

We use Password Control, its a free application, easy to install.

we had if installed on our server (2008r2) and have a link to it on our staff profiles.

Works a treat. PM me if you want some more info.

They would see everything that they have permission to, but they would not be able to change anything.

I don't think it really matters what the teachers see, only what they can change. (Just my £0.02)

Quote:

---

Originally Posted by icttech

We use Password Control, its a free application, easy to install.

---

Post a link?

Quote:

---

Originally Posted by TheLibrarian

They would see everything that they have permission to, but they would not be able to change anything.

I don't think it really matters what the teachers see, only what they can change. (Just my £0.02)

---

You've been very helpful, thankyou

A link would be very helpful on here please

A quick google took me to this... going to try it out later.

Password Control

Quote:

---

Originally Posted by MarkBerridge

You've been very helpful, thankyou

---

You are welcome. :)

Custom MMC - in a normal AD MMC, right click on the OU you want them to see and choose New Window. Save that as a new MMC and put it somewhere they can all get to. Delegate the relevant permissions to staff on that OU. Easy peasy!

Quote:

---

Originally Posted by sonofsanta

Custom MMC - in a normal AD MMC, right click on the OU you want them to see and choose New Window. Save that as a new MMC and put it somewhere they can all get to. Delegate the relevant permissions to staff on that OU. Easy peasy!

---

Brilliant thanks :)