How to configure permissions for Windows password reset tool


Alloy products include a utility that allows you to reset Windows passwords directly from our application. However, when your technicians launch Windows password reset tool from our workflow, they must have respective permissions to work with the utility. This article explains how to grant required permissions for your technicians.


The Active Directory has the capability to delegate permissions to modify various aspects of the directory to lower privileged users. Many companies grant the capability to reset user passwords to their support desks or managers using this method. Please see the procedure below on how to configure permissions.

TIP: We provide this information as a courtesy only. Consider other sources to ensure the information here is accurate as well as pertaining to your environment.

There are three permissions that may be considered a part of the password reset delegation policy:

  • Reset Password – enables the group to reset the password for a user. This permission allows technicians to work as administrators, so they do not need to know the previous password.

  • Read/Write pwdLastSet - enables the setting of the user must change password on next logon flag. This permissions may be considered as required when resetting a user password.

  • Read/Write lockoutTime – assuming you have an account lockout policy, most users will keep guessing passwords until they are locked out before contacting the help desk for assistance. This permission allows your delegated group to simply remove the Account is locked out check box on the Account tab of the user’s account property.

To delegate the reset user passwords permissions to a group of users:

  1. Open Active Directory Users and Computers.

  2. Make sure the Advanced Features option is enabled: click View from the main menu and select the Advanced Features check mark on the left.

    Alternatively, create a User Group for this delegation. If you are granting rights to users in another domain (but still in your same forest) you will need to make this group a Universal Group. Otherwise a Global group is fine for delegating to users inside your domain.

  3. Navigate to the Organizational Unit (OU) you want to delegate password reset rights to and right- click the OU. Drop down to and click on properties. On the [OU_NAME] Properties dialog box, click Advanced.

  4. On the Advanced Security Settings for [OU_NAME] dialog box, click Add. When prompted, enter or search for your security group and click OK. The Permission Entry for [OU_NAME] dialog box opens.

  5. In the Permission Entry for Users dialog box, change Apply onto to User Objects. Select the check box to enable Reset Password. In the upper right, click the Properties tab and change the Apply onto to User Objects. Finally, scroll down to pwlLastSet. Select the Allow check box for read and write, then repeat the same to the lockoutTime property.

  6. Click OK. The Summary Page opens. Advanced Security Settings for users will now have three entries.

Applies to

This article applies to these products:

  • Alloy Navigator 6, Alloy Navigator 7, Alloy Navigator 8
  • Alloy Navigator Express 6, Alloy Navigator Express 7, Alloy Navigator Express 8