Problem: Per default only members of “Domain Admins” have the right to change user passwords
Often there is the need of a delegated helpdesk (or servicedesk) user group which only can reset user passwords - without all domain admin rights.
Solution: Install univention-admingrp-user-passwordreset
The idea behind this extension is a new group called “User Password Admins”. It will be created automatically.
Members of this group will only see the users module in UMC and they will be able to change everyone’s user password, except those of members of the “Domain Admins” group.
You may configure additional users and groups for which password reset schould not be possible as well as additional groups that should be allowed to reset passwords via UCR:
ldap/acl/user/passwordreset/accesslist/groups/.*: With 'ldap/acl/user/passwordreset/accesslist/groups/IDENTIFIER' an arbitrary number of groups can be defined whose members are granted the permission to modify the password of other users. The DN of the group must be specified. IDENTIFIER can be an arbitrary name, e.g. "helpdesk". ldap/acl/user/passwordreset/protected/gid: Domain Admins The groups configured here are protected against password changes by the password reset groups (see 'ldap/acl/user/passwordreset/accesslist/groups/.*). Multiple groups need to be separated by commas. If the variable is changed, the OpenLDAP server is restarted automatically. ldap/acl/user/passwordreset/protected/uid: The usernames configured here are protected against password changes by the password reset groups (see 'ldap/acl/user/passwordreset/accesslist/groups/.*). Multiple usernames need to be separated by commas.