Delegate rights to unlock accounts

[Guest]

I would like to delegate the right to unlock accounts to Helpdesk staff but
cannot find any security option on User objects to do this.

I have seen mention of "Read lockoutTime" and "Write lockoutTime" but cannot
find these properties. The process I have followed is:

1. In Active Directory Users and Computers, right-click the container I want
to delegate and select "Delegate Control..."
2. Choose the group I want to assign these rights to.
3. Select "Choose a custom task to delegate"
4. Choose "Only the following objects in the folder" and select "User Objects"
5. Select "Property-specific" permissions.

This list of permissions does not include "Read lockoutTime" and "Write
lockoutTime".

The list does include "Read userAccountControl" and "Write
userAccountControl" which I believe may hold the flag for lockout status
amongst other things. Would this then be my only option and if so why?

Any help would be greatly appreciated.

Thanks

 

[Paul Bergson]

Go to the ou (Or domain) you want to provide rights to. Right click and
select delegate control, next, add users, next, select Rest user passwords
etc...

This should provide the necessary rights to the uses you added.

 

[Paul Bergson]

Sorry... Disregard

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks Paul but unfortunately that didn't work. Is this supposed to assign
rights to unlock as well as reset passwords?

When the Helpdesk staff go into AD Users and Computers and locate the
account that is locked, all user properties are grayed out and there is no
check in the "Account Locked" checkbox. When I view this account as a Domain
Admin, I can see the account as locked and obviously have the rights to
uncheck the box.

 

[ptwilliams]

http://support.microsoft.com/?id=294952

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Thanks Paul but unfortunately that didn't work. Is this supposed to assign
rights to unlock as well as reset passwords?

When the Helpdesk staff go into AD Users and Computers and locate the
account that is locked, all user properties are grayed out and there is no
check in the "Account Locked" checkbox. When I view this account as a Domain
Admin, I can see the account as locked and obviously have the rights to
uncheck the box.

 

[Joe Richards [MVP]]

userAccountControl no longer holds the lockout status info. It is kept in
lockoutTime.

Either use adsiedit.msc to modify dsacls.exe the permissions or learn about the
dssec.dat file and modify it to show lockouttime.

See

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294952


joe

 

[Guest]

Thanks to Joe Richards and ptwilliams. I haven't tried it yet but it looks
like this is exactly what I need to do.