Assigning the Password Reset capability to a group of users

Yesterday I met with a school district that has many tens of thousands of students in it across a lot of schools.  The district HQ manages IT for all of those schools with a primarily centralized staff, and several mobile personnel who do break/fix on-site.  A common issue in schools is also a very fundamental one: users forgetting their passwords.  So we had a discussion about how to delegate password reset permissions to nominated individuals in the schools… specifically the librarians in this case.

If you have not already looked at Role Based Access Controls in Outlook Live, you should do… you will find that there is a lot to learn and a lot you can do… enough for more than a few posts on the topic.  On the topic of delegating the password reset functionality, we deal with this here.  I went over this guidance yesterday with the customer, and the response was “great, but we have 50 librarians to delegate this permission to, how can we do this in bulk?”

There are 2 ways to do this… I will let you decide which one you like best.

OPTION #1: Assign a role to a security enabled group

Normally when you create a group on Outlook Live, in the background it is created as a Universal Group.  There are two types of distribution groups: mail-enabled universal distribution groups and mail-enabled universal security groups. Mail-enabled universal distribution groups can be used only to distribute messages. Mail-enabled universal security groups can be used to grant access permissions to resources in Active Directory, and they can also be used to distribute messages.  If you use the Admin interface in the Exchange Control Panel (ECP), you can only create the former group type; you will need the latter to assign a role to it.  You can however manage membership of the group in the ECP.

To create a mail-enabled universal security groups, you will need to do this in PowerShell:

New-DistributionGroup -Name librarians -Alias librarians -DisplayName "Librarians" -Type Security

You can then follow the directions we provide in the guidance, and in step 3 use the Librarians alias to assign the role.  The –user parameter accepts a mailbox or a Universal Security Group.

OPTION #2: Assign individual roles to a bunch of individuals

I used to be a systems admin many moons ago, and scripting was always a friend to me…. so I decided to look once again at how working with csv files could help out.  First of all however, I laid the groundwork by creating the custom role… this is a one off thing… simply follow steps 1 and 2 in the guidance.

Then I created a simple csv file that contained the aliases of the users I wanted to assign the new custom role to; for example:


…the key elements you will need to build into the script are as follows:

Read the fields pertaining to the users you want to assign the permission to into an array ($Records).  I use import-csv for this:

$records = import-csv -Path $UsersFile -OutVariable string -ErrorAction

Build a For…Each Loop to process each row in the array and run it through the New-ManagementRoleAssignment cmdlet.  PowerShell is a fairly  flexible environment to work with, and you can create and work with array rows on the fly (e.g. $User)

foreach ($user in $records)
    $this_alias = $user.alias

    # assign the role to the user – assigning result to variable to avoid listing the new object
    %{Invoke-Command -Session $Session1 {param ($this_alias) New-ManagementRoleAssignment -Name "$this_alias Password Reset" -Role PasswordManagement_Custom -User $this_alias} -arg $this_alias} > $results

You will see that I have created an unique role assignment name for every user… this is because the process demands this.

So, I hope this helps!  Don’t forget get-help is your friend here.  To write a script that removes the assignment, there is another cmdlet you can use: Remove-ManagementRoleAssignment



5 Responses to Assigning the Password Reset capability to a group of users

  1. Rami says:

    actually,i want to add a password to my group on windows live messenger,how do i do that?cause,well,i only want friends,family and people i add to join,and without a password other people will want to plz help!

  2. US LiveAtedu says:

    @rami… do you mean Windows Live Groups? ?If so, this is closed by default.

  3. Mike says:

    is it possible to allow the password reset option for a specific group of individuals but only allow them to reset a limited group of users passwords? e.g. AdminGroup1 can reset password only if the user belongs to MailGroup1. we have over 60 schools that are getting setup under our live@edu setup and would like to delegate control of password resets to an individual on each site, but we only want the admin on site to be able to reset the users on that site

  4. US LiveAtedu says:

    @MikeYou can achieve this, but the changes you would make would not (yet) show up in the Exchange Control Panel, anyone wanting to change an end-users password would have to do so through our PowerShell interface, or through some admin page that you would create on your end, that in turn, uses PowerShell.Here are the commands to achieve what you are asking. The scenario here is that you only want a group of admin users being able to work with a section of your user population:# Security group for Elem AdminsNew-DistributionGroup -Name "Elem School HelpDesk" -Alias elemhelpdesk -Type security… then add your school admins to that group# Management Scope for Elem Students – create a scope using a filer, I am using the Department attributeNew-ManagementScope -Name "Elementary School Students" -RecipientRestrictionFilter { Department -eq "Elementary School" }# Assign Reset Password role to Elem Admins Group for Elem StudentsNew-ManagementRoleAssignment -Name "Elementary School Students_Reset Password" -SecurityGroup "Elem School HelpDesk" -Role "Reset Password" -CustomRecipientWriteScope "Elementary School Students"You can then test that this works by trying to change a user\’s password for users that are in the scope, and not in the scope… the cmdlet will fail for users NOT in the scope.Set-Mailbox elem01 -Password (ConvertTo-SecureString -String \’Pa$$word1\’ -AsPlainText -Force) -ResetPasswordOnNextLogon

  5. Pingback: Assigning the Password Reset capability to a group of users « Live@edu | Password Recovery Download

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: