denied access to unlock user account

[Henrico]

I have a user who was delegated the permission to unlock
user accounts. While this generally works, he has come
across (at least) one user where the option to unlock an
account is not available.

Both users are in the same group used for the
delegation. Is this why one can't unlock the other?

Thanks

 

[Laurie]

check your group policy settings

 

[Chriss3]

How To Delegate the Unlock Account Right:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Henrico]

The delegation is done correctly. The user with
permission can unlock any other account except this one.
Further testing has determined that group membership is
not the issue. We had another member of the same group
lock her account and he was able to unlock her's OK. The
only other issue is that the problem account WAS a domain
admin at one time but is not now. In NT4 you had to be a
domain admin to unlock the account for another domain
admin.? (Grasping at straws I guess)

 

[Chriss3]

Check the particular accounts ACL.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[Henrico]

Thanks Christoffer.

I did check the permissions on his account, and they were
not the same as other users. Apparently removing an
account from domain admins does not reset the account
security back to a "normal" user. From the "Advanced"
security screen, I "checked" to inherit from parent, and
this reset his security to a "normal" user.