How can I deny admins the right to reset their own password?

Question

I have a bunch of users who have (quite properly) the ability to reset passwords. Unfortunately, a number of them are abusing this ability by resetting (rather than changing) their own passwords so that they keep the same password in spite of the password policies. 
 These users are members of a specific group. Is there a way that I can deny them the right to reset only their own password? I don't want to block them from being able to reset their colleagues passwords, just their own. 
 Thanks, 
 
 Mike...

Aidar.Karabalaev · Accepted Answer

(I made correction to the terms in the post) 
 >'Password Change' is the usual route for users to take. -native MSFT Windows/AD rights only. ARS does not /cannot grant it. >&rsquo;Password Reset&rsquo; is the administrative privilege &ndash; granted to AD\HelpDesk group &lsquo;native ACL&rsquo; in ADUC or &lsquo;virtually&rsquo; in ARS. 
 #1. I would not recommend to do this. If AD\HelpDesk AD\jsmith can *Reset Password* for all accounts, then he can change it for himself. *Change Password* is native MSFT cunctionality for all AD users, probably part of AD GPO, and out of ARS/AD Management Workflow scope. 
 #2. AD Management workflow Change. Introduce exemption:AD|HelpDesk user's password can be *Reset Password* by AD\ADmins only (higher level exemption ticket) 
 #3. Workflow or Policy Script: IF Caller ID (SID/Logon/GUID) = Target Object ID THEN throw exemption "MyCompany AD Management Policy Violation: AD ADmins cannot *Reset Password* on itself". (No recommended as #1.)

BenH · Answer

You can create a Workflow which checks the initiator and the object, where operations should be performed. If they are the same, you can add a stop action

Endpoint Privilege Management

How can I deny admins the right to reset their own password?

Top Replies