Exchange 2016: Reset Password from EAC
If you ever wonder how to reset password from EAC then this blog will help you. It is a simplest thing which you can do from ADUC as well.
One of my customer wanted to enable this in the EAC so I did and sharing the step with the world in case you need to do in your infrastructure.
EAC does not show you the password reset option by default when you open the recipient properties.
We need to run through the following steps to enable the reset password option:
-Login to Exchange 2016 server and open Exchange management shell.
-Now run the following 3 commands one at a time.
Add-pssnapin microsoft*
Install-CannedRbacRoles
Install-CannedRbacRoleAssignments
If you will not run these commands and go to the EAC to add permissions, then you will see this error and permissions will not be added.
-Login to EAC and go to permissions.
-Select the Admin role which you would like to assign reset password role permission. Then click on edit
-Click the +sign on the Roles. Select Reset Password and click add then ok & save. This should save the permissions.
-Now log out of EAC.
-Reopen the EAC and you should see this option in any recipient properties.
That’s it for this blog.
Microsoft MVP | CTO @ Golden Five
Team@MSExchangeGuru
October 19th, 2016 at 7:38 am
Hi Prabhat,
Nice article,thanks for sharing.
Will it Work for Exchange 2013 as well.
Regards,
Aravind M
October 19th, 2016 at 3:22 pm
Yes, it should.
November 15th, 2016 at 4:53 am
Yes it work for 2013 successfully.
April 24th, 2017 at 9:36 am
Hi Prabhat,
I want to give our “IT Helpdesk” the rights to reset user password through EAC in Exchange 2013 for a Particular OU in Active Directory. How to do it? If I add “IT Helpdesk” AD login to “members” in “Organisation Management” then won’t Helpdesk also have other rights on the Exchange organization. Thanks in advance for your help.
April 26th, 2017 at 5:40 am
They should use ADUC and you should use delegation wizard in ADUC.
April 26th, 2017 at 8:32 am
Hi Prabhat,
Thanks for your response. We want to give “reset password” feature through EAC only. I followed below given steps:
1. Run 3 command mentioned in your article
2. Under “Admin roles”, I created a New role group with following details :
New Role Group Name : PasswordResetHelpdesk
Write scope : OU : SalesUsers
Roles : Reset Password
Members : IT Helpdesk
3. I open ADUC and delegate “password reset” permission on “SalesUsers” OU to the user “IT Helpdesk”
4. Now I login to EAC using login “IT Helpdesk”. I try to reset the password of a user named “John” who is part of “SalesUsers” OU. When I put it in the new password and click “Save” button then I get the below error message :
Recipient “xxx.com/John” couldn’t be read from domain controller “yyy.xxx.com”. This may be due to replication delays. Switching out of Forest mode should allow this operation to complete successfully.
Do I need to add some other role in the above mentioned role group “PasswordResetHelpdesk” in EAC?
Note : If I login to ADUC using “IT Helpdesk” login and try to reset the password of a user in “SalesUsers” OU then I am able to reset the password but when I use EAC console to reset the password then I get the above mentioned message.
Thanks again in advance for your help.
July 10th, 2017 at 11:54 am
Is there a way to see a list of non-mailboxes users in order to be able to reset their passwords? Seems like they would have a backdoor for something like this in Exchange.
Thanks.
July 11th, 2017 at 3:11 am
you should use dsa.msc for it.