The password reset service runs the external validation script if specified. The account that runs the external validation script can be specified in the configuration tool to be different from the domain administrator account running the service.
It’s recommended to create a separate Group Policy Object (GPO) in Group Policy Management and enable it for the local system in Start -> Administrative Tools -> Group Policy Management if using a specialized account to run the external validation tool.
To create the GPO:
- Select the domain in the tree.
- Run in menu: Action -> Create a GPO in this domain, and link it here.
The GPO specifies a set of privileges. To edit the privileges:
- Select the GPO.
- Run in menu: Action -> Edit ...
The following privileges are necessary:
- Allow log on locally for the specified user account.
- Note that the wizard recommends adding Administrators to the list.
Replace a process-level token.
The following image shows how the GPO appears after the changes.
To enforce the policy for the local system:
- Select the GPO.
- Run in menu: Action -> Enforced
Using a Non-Administrator Account for Running the Password Reset Service
A domain user account can be used to run the service instead of a local administrator account. The account should also have the privileges Allow log on locally and Replace a system level token.
The account must have permissions to reset passwords for the domain. To configure, navigate to:
- Start -> Administrative Tools -> Active Directory Users and Computers
To delegate the permissions:
- Run in menu: View -> Advanced Features
- Select the domain name and run in the menu: Action -> Delegate Control ...
- Add the user to the list.
- Set the task Reset user passwords and force password change at next logon to delegate.
- Finish the wizard.