I know there is many treads about password reset, but I cannot find what I’m looking for.

In a typical agentless setup, I have a resource with x number of accounts.

One account is set to be the account, used for resetting password on itself, and the other accounts in the same resource.

It works with password validation, but not reset, since the account specified for reset don’t have password-reset rights on the resource (windows/windows-domain) for other accounts then itself.

So why don’t I give it rights to reset password? –I can’t because all of my resources are divided into system relations and then grouped so I can share a resource group to the application managers. (password user) I dont what this type of user to have access to an AD-account with reset rights.

It could look like this: System X has 1 app-server (windows resource-type), 1 SQL-server (SQL-resource-type), Y numbers of AD-accounts used for services (windows-domain-resource-type). All 3 resources are then groups and shared.

Another system will have same structure, so I have many (windows-domain-resource-type) connecting to the same domain.

Is there a way, where to provide a generic account to be used for password reset, BUT resources/users using this account should not be have access to the account, unless shared in a normal way?

I know the log in AD would say all resets are coming from this one account, but audit-wise I would still know who did the reset, because it would be in the PMP-audit log.

kind regards

Kasper