Give Users the Ability to Reset Passwords

Outlook Web App > For Administrators > Assign Roles and Permissions > Administrator Role Groups >

Topic Last Modified: 2009-10-06

Wouldn't it be great if you could give help desk personnel permission to reset forgotten passwords without giving them access to other administrative functionality in the Outlook Live organization? You have several options:

Add the help desk personnel to the Help Desk role group By default, the Reset Password role is assigned to the Help Desk role group. But note: the Help Desk role group includes these additional roles:
- User Options This role allows users to access the Options page of other users for troubleshooting purposes. Here's how: Access Another User's Options Page
- View-Only Recipients This role allows the user to see the configuration of all mailboxes, mail users, mail contacts, groups, and dynamic distribution groups. The help desk personnel can see the object configurations, but they can't modify anything.

If this additional scope works for your organization, you don't have to do anything else.

Too much power?

What if you think that the additional roles give too much power to the help desk personnel? You have these options:

Optional Step: Remove the extra roles from the Help Desk role group Before you add users to the Help Desk role group, you can remove the extra roles. Be aware: This approach reduces the capabilities of all existing members of the Help Desk role group.
Assign the Help Desk role to a security group With this approach, you don't use the Help Desk role at all. Instead, you create a new security group, assign the Reset Password role to the security group, and add the users to the security group.

Add the help desk personnel to the Help Desk role group

In the Web management interface:

Select My Organization > Users & Groups > Administrator Roles.
Select the Help Desk role group, and then click Details.
Under Members, click Add.
In the Select Members dialog box, select one or more users. You can search for users by typing all or part of a display name, and then clicking . You can also sort the list by clicking the Display Name or E-Mail Address column headings.
Click Add.
Click OK to return to the role group page.
Click Save to save the change to the role group.

The new member is displayed under Members in the details pane for the selected role group.

Optional Step: Remove the extra roles from the Help Desk role group

You perform this step using Windows PowerShell.

To learn how to install and configure Windows PowerShell and connect to Outlook Live, see Use Windows PowerShell.

Remove the extra roles from the Help Desk role group

Run the following commands after you have connected to the Outlook Live server-side session:

Copy

Remove-ManagementRoleAssignment "User Options-Help Desk" -Confirm:$false
Remove-ManagementRoleAssignment "View-Only Recipients-Help Desk"-Confirm:$false

Note To assign the removed roles back to the Help Desk role group, run the following commands:

Copy

New-ManagementRoleAssignment -Role "User Options" -SecurityGroup "Help Desk"
New-ManagementRoleAssignment -Role "View-Only Recipients" -SecurityGroup "Help Desk"

Assign the Help Desk role to a security group

There are three steps:

Create a security group Do this using Windows PowerShell.
Assign the Reset Password role to the security group Do this using Windows PowerShell.
Add users to the security group You can do this using the Web management interface or using Windows PowerShell.

1. Create a security group

Run the following command after you have connected to the Outlook Live server-side session:

Copy

New-DistributionGroup -Name <Group Name> -Type Security

For example, to create a security group named "Password Resets", run the following command:

Copy

New-DistributionGroup -Name "Password Resets" -Type Security

2. Assign the Reset Password role to the security group

Run the following command after you have connected to the Outlook Live server-side session:

Copy

New-ManagementRoleAssignment -Role "Reset Password" -SecurityGroup <security group>

For example, to assign the "Reset Password" role to the security group named "Password Resets", run the following command:

Copy

New-ManagementRoleAssignment -Role "Reset Password" -SecurityGroup "Password Resets"

3. Add users to the security group

You can use the Web management interface or Windows PowerShell. After the users are added to the group, they can reset users' passwords.

Using the Web management interface

Select My Organization > Users & Groups > Public Groups.
In the Groups list, select the group and click Details.
In the Membership section, click Add.
In the Select Members page, select the users you want to add. When you are finished, click OK.
On the Group page, click Save.

Using Windows PowerShell

Run the following command after you have connected to the Outlook Live server-side session:

Copy

Add-DistributionGroupMember <security group> -Member <user>

For example, to add the user "Ayla Kol" to the security group "Password Resets", run the following command:

Copy

Add-DistributionGroupMember "Password Resets" -Member "Ayla Kol"

Note You can use the Update-DistributionGroupMember cmdlet with the Members parameter to specify multiple users separated by commas. However, the list of users you specify overwrites the current members of the security group.

Next steps

To reset passwords in the Web management interface, see Reset a User's Password.
To reset passwords in Windows PowerShell, see Reset a User's Password with Windows PowerShell.