Active Directory Rights
Last updated
Last updated
ARKSSPR is a product that simplifies end-user password management tasks. An authorized account in Active Directory is required for operations such as password reset and account unlocking.
At the level or levels (OU or Domain) where password reset activities are desired to be carried out, the "Reset user passwords and force password change at next logon" delegate must be given to the relevant LDAP account (which may also be a Group or Application Pool Identity account). Delegation must be given for the user object.
Like the password reset right, account unlock authority must be granted under security for user objects. Since there is no specific authority on the delegation screen, "Read/Write lockoutTime" privileges must be given by selecting "descendant user objects" from the Advanced Security screen.
Users can reset and change passwords using ARKSSPR. However, giving the same password during the password reset process is not prevented by Active Directory by default. Therefore, it provides an alternative to password reset and change and a backdoor to circumvent history rules. In order for Active Directory password change rules to be applied to reset, the following right must be granted at the Domain level to the relevant LDAP account, group or ApplicationPoolIdentity account.