Oplon Secure Access
Active Directory

Active Directory Guide

To enable users to reset the Self Service password, a delegated user must be set up. In case there are PSOs (Password Settings Objects) configured, then you have to enable reading of some PSOs information.

Password reset

To enable this function, you must delegate permission for password reset in the ADUC (Active Directory Users and Computers) console:

  1. Right click the OU or domain on ADUC and select Delegate Control from;
  2. Click on Next;
  3. Click on Add to Select users and groups, select the users or groups to delegate and click Ok. Click Next;
    Figure 1: Select delegated users/groups
  4. Select Create a custom task to delegate and click on Next;
    Figure 2: Task to delegate
  5. Select Only the following objects in the folder. In this list, select User objects and click on Next;
    Figure 3: Task scope
  6. Click on General and select Property-specific. In this list, select Reset password, Read pwdLastSet adn Write pwdLastSet. Click on Next and Finish;
    Figure 4: Permission to reset
    Figure 5: Read and write permissions

Enabling password policy (PSO)

To enable this function, you must enable the PSO reading permission in the ADUC (Active Directory Users and Computers) console:

  1. Right click on OU or domain on ADUC and select Delegate Control from;
  2. Click on Next;
  3. Click on Add and select the users or groups to delegate and click on Ok. Click on Next;
    Figure 6: Select delegated users/groups
  4. Select Create a custom task to delegate and click on Next;
    Figure 7: Task to delegate
  5. Select Only the following objects in the folder. In this list, select msDS-PasswordSettings objects and msDS-PasswordSettingsContainer objects. Click on Next;
    Figure 8: Select permissions
  6. Make sure General is checked and select the Read permission. Click on Next and Finish.
    Figure 9: Read permissions

Note

  • For password change, the user must have the password change permission;
  • If a user, nearing the expiration of his password, does not display the days before the password expires in his private area under Change Password, Password never expires need to be disabled in the user's account properties on Active Directory.