AD user passwords can be reset form UNAB on a Unix endpoint, eliminating the need to always involve Windows Administrator in order to do it on the Windows side.
Just like in Windows itself, a privileged AD account must be used to perform the operation of updating someone else's password from Unix. The accounts from the Administrative group can do that by default; however, the recommended method is to delegate password reset and user control read/write privileges to an ordinary account and use it is effectively as a Unix-side administrator assistant account.
That account does not need to have Unix attributes specified, i.e., it stays a pure AD account and "invisible" from Unix side. ADUC MMC allows one to delegate necessary rights in Windows as a single task and only with a few clicks of the mouse.
Please see Microsoft articles for authoritative details, e.g., https://support.microsoft.com/en-us/help/296999/minimum-permissions-are-needed-for-a-delegated-administrator-to-force .
Here is an example with users from a domain different from the UNAB registration domain:
admassistant - AD user who was delegated the right to reset other AD users' passwords;
aduser2o - AD user who forgot his password and needs it to be reset
othercorp.net - domain where the above accounts are (the domain will need to be specified in this case since when a domain is omitted, the registration domain is assumed).
/> uxconsole -krb -passwd -a firstname.lastname@example.org email@example.com
CA ControlMinder UNAB uxconsole v18.104.22.16838 - console utilityCopyright (c) 2013 CA. All rights reserved.
Password for firstname.lastname@example.org:New password for aduser2o@OTHERCORP.NET:Enter the new password again:Successfully changed password for 'aduser2o@OTHERCORP.NET'.
And now let's verify the new password:
/> uxconsole -krb -init email@example.comCA ControlMinder UNAB uxconsole v22.214.171.12438 - console utilityCopyright (c) 2013 CA. All rights reserved.
Password for aduser2o@OTHERCORP.NET:Successfully authenticated to Active Directory. Credentials are in '/tmp/krb5cc_0'.