Active Directory includes the ability to delegate control of various permissions within Active Directory to specific users or groups. It allows IT admins to assign particular users or groups to perform granular tasks such as resetting an account password, and forcing the user to change their password at the next logon. Instead of adding IT helpdesk technicians or other users into dangerous groups such as the domain admins group, delegation allows assigning the specific permissions they need in the environment. It will enable aligning your IT helpdesk to a least privilege model.  

How are the password reset permissions delegated in Active Directory? To begin, right-click the object level in Active Directory you want to delegate permissions. Below, the parent domain level is chosen. However, you can delegate permissions at a specific OU level as well. Right-click the object and select Delegate Control.  

active directory control wizard screen
Beginning the Delegation of Control Wizard

The Delegation of Control Wizard begins, which allows delegating specific, granular permissions.

The Delegation of Control Wizard begins

Choose the user or group you want to delegate permissions. It is best practice to delegate permissions to a group instead of a user. In this way, administrators can take users in and out of groups delegated granular permissions. This approach provides a much better way to manage Active Directory permissions delegation.

Select the user or group you want to delegate permissions

Choose the permissions you want to delegate in the wizard. Since we are interested in password reset activities, choose the “Reset user passwords and force password change at next logon” permissions.

Select the permissions to delegate

Complete the Delegation of Control Wizard to assign the granular permissions to the Active Directory user or group.

control wizard delegation completion screen
Complete the delegation of permissions wizard