Allow AD user to set passwords but no other attributes

2,719

Solution 1

You can do this by delegating the user the right to change the password using the "Delegation of Control" wizard:

Start the Delegation of Control Wizard, select your user or group to delegate

Open the ADUC, find your domain tree and browse to the topmost level that you wish to apply user permissions (for example, 'Domain users' at my workplace), right-click > 'Delegate Control'.

At the Welcome dialog, click 'Next'.

At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.

At the Select Users, Computers, or Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.

Once you've selected your resource(s), click 'OK' at the Select Users, Computers, or Groups dialog, then click 'Next' at the Users or Groups dialog.

Delegate your task(s)

At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.

If you ONLY want to delegate the reset password task

Verify that 'Delegate the following common tasks' radio button is ticked and select 'Reset user passwords and force password change at logon' and click the 'Next' button.

If you additionally want to delegate the ability to enable/disable user accounts

Tick the 'Create a custom task to delegate' radio button and click the 'Next' button.

Tick the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.

At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:

Change Password Reset Password Read userAccountControl Write userAccountControl

Click the 'Next' button.

Solution 2

Use Delegation of Control to grant the user the ability to "Reset user passwords and force password change at next logon".

2,719

Geronimo

Updated on September 18, 2022

Comments

Geronimo almost 2 years

I know that there are many similar answers but none of them suit for me. I have a class library called MyLibrary. It has only one type. I'm going to create an instance of my type into another appdomain that why I don't use Activator.

public class Test
    {
        public Test()
        {
            Console.WriteLine("Ctor of Test type.");
        }

        public void Hello(string name)
        {
            Console.WriteLine($"Hello {name}! I'm an instance method.");
        }
    }

I created a simple console application. This is a code of Main method.

static void Main(string[] args)
        {
            string path = @"example of my path";
            AppDomain domain = AppDomain.CreateDomain("mydomain");
            Assembly mylibrary = Assembly.LoadFrom(path);
            Type typeOfTest = mylibrary.GetType("MyLibrary.Test");
            var instanceOfTest = domain.CreateInstanceFrom(path, typeOfTest.FullName);
            MethodInfo hello = typeOfTest.GetMethod("Hello");
            hello.Invoke(instanceOfTest, new object[] {"Bob"});
        }

What is the right way to call Hello method? I can create and call static method from Test type but I can do nothing with nonstatic instance method?