> For the complete documentation index, see [llms.txt](https://docs.fortifiedid.se/password-reset/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fortifiedid.se/password-reset/modules/adresetclient/permissions.md).

# Permissions

### Overview

To reset a password, unlock an account, or require password change at next logon, the service account needs the correct permissions.\
There are different ways to delegate permissions in AD. Below is one way of doing this for the ADResetClient proxy account.

### Delegate Reset Password and Change Password at Next Login

1. Open **Active Directory Users and Computers**\
   \&#xNAN;*Start > All Programs > Administrative Tools menu.*
2. Right-click the OU or the root from which you want to delegate.
3. Click **Delegate Control** to open the Delegation of Control Wizard.
4. Click **Next** to proceed past the wizard’s welcome page.
5. Click **Add** and find the user account you want to delegate to.
6. Click **Next** to proceed.
7. Under **Delegate the following common tasks**, choose to delegate the privilege to **Reset user passwords and force password change at next logon**. This will delegate AD password change and reset privileges to the service account.
8. Click **Next** to proceed.
9. Review the changes and ensure the changes are correct.
10. Click **Finish** to save your changes and close the wizard.

### Delegate Unlock Account

1. Open **Active Directory Users and Computers**\
   \&#xNAN;*Start > All Programs > Administrative Tools menu.*
2. Right-click the OU or the root from which you want to delegate.
3. Click **Delegate Control** to open the Delegation of Control Wizard.
4. Click **Next** to proceed past the wizard’s welcome page.
5. Click **Add** and find the user account you want to delegate to.
6. Click **Next** to proceed.
7. Choose **Create a custom task to delegate** and click **Next**.
8. Choose **Only the following objects in the folder** from the **Delegate control of** option.
9. Check the **User** objects option as the object to which to delegate.
10. Click **Next** to proceed.
11. Ensure **Property-specific** is checked.
12. Scroll to the Read lockoutTime permission and check **Read lockoutTime** and **Write lockoutTime**.
13. Click **Next** to proceed.
14. Review the changes and ensure the changes are correct.
15. Click **Finish** to save your changes and close the wizard.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fortifiedid.se/password-reset/modules/adresetclient/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.