This seems to be a problem for a lot of people on the ‘net so I figured I’d document it here.
First, we need to make sure LDAP authentication is setup properly; take a look at the following screenshots (this assumes that you’ve already created a separate account for binding to the AD/LDAP database… in my examples below, this account is referred to as the “ldap bind” account.)
Once you’ve done all of that, you’ll need to delegate the ability to change user passwords to your “ldap bind” account. This “sandboxes” the account; i.e., it allows the account to be able to change passwords without requiring administrative privileges. This way, the account only has the exact level of privilege it needs to do its job. Active Directory will allow you to use the Delegate Control wizard to delegate the Reset user passwords and force change at next logon task, but depending on which version of Windows Server you are running, this might not work as expected. In order to provide an LDAP Bind user with the ability to authenticate users and change passwords via NetExtender and Virtual Office, you can instead delegate access in the following manner:
- In Active Directory Users and Computers, right click on the desired OU and select Delegate Control
- Click Next.
- Click Add.
- Select a user or group, then click OK.
- Click Next.
- Select Create a custom task to delegate, and then click Next.
- Click Only the following objects in the folder, click to select the User objects check box, and then click Next.
- Click to select the General and the Property-specific check boxes.
- Click to select the Reset Password, Read pwdLastSet, and Write pwdLastSet check boxes in the Permissions box.
- Click Next, and then click Finish.
If for some reason it’s still not working, ensure that User objects are configured to Include inheritable permissions from this object’s parent, from the Advanced Security Settings page on each user object that needs to be able to update their password via NetExtender and/or Virtual Office. Note: You must have Advanced Features enabled in the view from within ADUC in order to see this page. To enable it, navigate to View and select Advanced Features. Now you’ll be able to see the Security tab of any Organizational Unit or Object.