Article ID: 296999 - View products that this article applies to.
This article was previously published under Q296999
By default, when you, as the administrator, delegate the ability to reset passwords to a user or group by using the Delegation of Control Wizard, that user or group does not have the permission to force a user, for whom the password has been reset, to change their password the next time that the user logs on. If the user to whom you give the permission to reset passwords right-clicks a user account, clicks Reset Password, and then clicks to select the User must change password at next logon check box, the latter user's password is reset, however, this user is not forced to change their password the next time that this user logs on.
This behavior occurs because the user does not have the required minimum permission that is necessary to set the User must change password at next logon option, which is the Write Account Restrictions permission on user objects. When you delegate the ability to reset passwords, the only permission that is granted over the delegated container is the Reset Password permission on user objects.
You can use the Delegation of Control Wizard to delegate the Reset Password permission to the delegated user. Whereas, in order to change the "User must change password on next logon" flag, the delegated user must have write permission to the user containers. However, the write permission provides the delegated user with additional permissions. In other words, the Write Account Restrictions permission is a super permission that provides access to some other user properties. The pwdLastSet property can be used to force the user to change their password at next logon. By default, the individual permissions are not visible. The filtering of the permissions is controlled by values in the Dssec.dat file. To resolve this issue, you can use the following steps to delegate permissions for only the Reset Password and pwdLastSet property to a user-defined group named Help Desk.
For additional information about delegating permissions, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/235531/EN-US/ )Default Security Concerns in Active Directory Delegation
(http://support.microsoft.com/kb/229873/EN-US/ )Delegate Control Wizard Cannot Be Used to Remove Groups or Users
(http://support.microsoft.com/kb/296490/ )How to modify the filtered properties of an object