Grant rights to reset passwords and unlock accounts
The rights to reset passwords and unlock accounts are granted with the help of security roles. A security role with the following permissions must be assigned to users who need such rights:
-
Allow Reset Password
-
Allow Write Lockout-Time Property
Note that accounts can be manually unlocked only in Active Directory domains. In Microsoft Entra domains, accounts are unlocked automatically, based on configured password policies and smart lockout.
In this tutorial, you will learn how to add the permissions to reset passwords an unlock accounts to an existing security role.
Permissions granted by security roles are effective only within Adaxes.
-
Launch Adaxes Administration console.
How { #collapse1}
-
On the computer where Adaxes Administration console is installed, open Windows Start menu.
-
Click Adaxes Administration Console.
-
-
Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.
-
In the Permissions section on the right, click Add.
-
In the Add Permissions dialog, do the following:
-
In the list of object types on the left, select User.
-
In the General permissions section, select the Reset Password permission in the Allow column.
-
In the Property-specific permissions section, select the Write Lockout-Time permission in the Allow column.
-
Click OK.
-
-
Click Save changes.
Account Options
If the Reset Password operation is configured in such a way that users can change only the User must change password at next logon option, the Reset Password permission is enough and no additional rights are required.
However, if you want users to be able to change the User cannot change password and Password never expires options as well, you need to grant them additional rights.
For details, see Grant rights to modify account options.