# Active Directory Rights

ARKSSPR is a product that simplifies end-user password management tasks. An authorized account in Active Directory is required for operations such as password reset and account unlocking.

### Password Reset

At the level or levels (OU or Domain) where password reset activities are desired to be carried out, the "Reset user passwords and force password change at next logon" delegate must be given to the relevant LDAP account (which may also be a Group or Application Pool Identity account). Delegation must be given for the user object.

<figure><img src="/files/lFgPeoTvcwnkvNpEaO4L" alt=""><figcaption><p>Reset Password rights with Delegation</p></figcaption></figure>

<figure><img src="/files/6v5mRjeDGnKZFBrpFS0M" alt=""><figcaption><p>Reset Password rights from Advanced Security Window</p></figcaption></figure>

### Unlock Account

Like the password reset right, account unlock authority must be granted under security for user objects. Since there is no specific authority on the delegation screen, "Read/Write lockoutTime" privileges must be given by selecting "descendant user objects" from the Advanced Security screen.

<figure><img src="/files/ACaHF9ABgzrUEMnTXCcf" alt=""><figcaption><p>Unlock Account rights from Advanced Security Window</p></figcaption></figure>

### Forcing Active Directory Rules to be Applied when Resetting Password

Users can reset and change passwords using ARKSSPR. However, giving the same password during the password reset process is not prevented by Active Directory by default. Therefore, it provides an alternative to password reset and change and a backdoor to circumvent history rules. In order for Active Directory password change rules to be applied to reset, the following right must be granted at the Domain level to the relevant LDAP account, group or ApplicationPoolIdentity account.

<figure><img src="/files/Y91vVPKuZ17VPT7RtOce" alt=""><figcaption><p>Replicating Directory Changes rights from Security Window</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arksspr.com/master/deployment/active-directory-rights.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.