Permissions a ServiceAcount for PRA or RS needs to change AD passwords

Procedure 1: To grant Microsoft Active Directory password reset permissions to your PRA or RS Service account:

1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PRA or RS Service Account to manage) and choose Properties.
3. Click Delegate Control to open the Delegation of Control Wizard.
4. Click Next to proceed past the wizard’s welcome page.
5. Click Add and find the PRA or RS Service account you created previously.
6. Click Next to proceed.
7. Under Delegate the following common tasks, choose to delegate the privilege to Reset user passwords and force password change at next logon. This will delegate AD password change and reset privileges to the service account.
8. Click Next to proceed.
9. Review the changes and ensure the changes are correct.
10. Click Finish to save your changes and close the wizard.

You need to run the Delegation of Control wizard one more time to delegate the AD unlock account privilege. Follow Procedure 2 to complete this action. This privilege is controlled by the AD lockoutTime attribute and you cannot delegate it using a common task like you did for the reset password privileges.

Procedure 2: To grant Active Directory unlock account permissions to your PRA or RS Service account:

1. Open Active Directory Users and Computers from the Start > All Programs > Administrative Tools menu.
2. At the root of the directory tree for the domain, right-click the root of your domain (or another OU you want to allow PRA or RS Service account to manage) and choose Properties.
3. Click Delegate Control to open the Delegation of Control Wizard.
4. Click Next to proceed past the wizard’s welcome page.
5. Click Add and find the PRA or RS Service account account you created previously.
6. Click Next to proceed.
7. Choose Create a custom task to delegate and click Next.
8. Choose Only the following objects in the folder from the Delegate control of option.
9. Check the User objects option as the object to which to delegate.
10. Click Next to proceed.
11. Ensure Property-specific is checked.
12. Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
13. Click Next to proceed.
14. Review the changes and ensure the changes are correct.
15. Click Finish to save your changes and close the wizard.