Symptoms:
After receiving the confirmation email and clicking on the link in the email notification to reset a password, user gets this error message:
Cause :
The Administrative Account configured in the Password Reset properties pane does not have sufficient permission to perform some assigned task such as unlock account or enable account.
Resolution:
Make sure that this administrative account has enough permission to enable user accounts, unlock user accounts or for password change at next logon.
Follow the steps below to provide minimum permission to the password reset administrative account :
1. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers
- Create a new domain account for Bamboo Password Reset Web Part
- Right-click on the domain (or OU containing SharePoint users) and select Delegate Control…
- Under Delegation of Control Wizard, click Next
- Click Add and select the newly-created domain account. Click Next
- Under Tasks to Delegate, select create a custom Task to delegate and click Next
- Under Active Directory Object Type, choose Only the following objects in the folder and select User objects check box. Click Next
- Under Show these permissions check both General and Property-specific
- Select Reset Password to grant the account permission to reset password
- Select Read userAccountControl and Write userAccountControl to grant permissions to enable user accounts
- Select Read LockoutTime and Write LockoutTime to grant permissions to unlock user accounts
- Select Read pwdLastSet and Write pwdLastSet to grant permission to force password change on next logon
- Click Next and Finish.
Workaround:
You could also configure Password Reset Web Part so that only Reset Password right is needed for the administrative account. To do this, open the Password Reset properties pane and uncheck Unlock Account Automatically, Enable Account Automatically and User must change password at next logon.