Resetting an Active Directory user password is normally restricted to IT Admin staff. The Managed Directory User Account feature in NetSupport DNA allows a user of the DNA Console to reset Active Directory passwords and enable/disable user accounts. Passwords can also be reset using the NetSupport School Tutor or Tech Console.
By default, normal users in Active Directory or users of Active Directory who are not members of the ‘Administrators’ group or ‘Domain Admins’ group do not have the required level of access to reset user passwords. The Delegation of Control wizard can be used to enable access for the Active Directory security group or the individual users.
On a domain machine, log in as a domain administrator with Remote Server Administration Tools installed:
Create a global security group for users who will need to operate the NetSupport DNA Manage Users facility.
Delegate the permissions to the security group:
- Click Start, click Run, type dsa.msc in the Open box, and then click OK.
- Right-click the Organisational Unit to which you want to delegate permissions, and then click Delegate Control.
- Click Next and then click Add.
- Enter your group name, click Add, and then click OK.
- Click Next, check Create a custom task to delegate and then click Next.
- Click Only the following objects in the folder, select the User objects check box, and then click Next.
- Select the General and the Property–specific options.
- Select the check boxes:
- To enable change password.
- To allow unlocking of accounts.
To allow enable\disable accounts (not required for non-console users, i.e. those using the Agent instigated password reset facility).
- Click Next, and then click Finish.
- In the NetSupport DNA Console, select the Settings tab and click Operators.
- Click Roles.
- In the role ensure that the Can Manage AD User accounts (unlock, change/set passwords etc) permission is enabled.
- Associate this role to the security group that has been created in step 1.
- Click OK.