Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out

  • Thread starter Thread starter Marlon Brown
  • Start date Start date

Marlon Brown

I need to allow helpdesk to 'unlock' accounts under a certain OU.

This is a Win 2000 SP4 AD.
I run the AD Users & Computers from my WinXPSP2 console. I follow the steps
below, but when I logon as myhelpdeskguy and attempt to access the "account
lockout" from a respective locked user account, the option is gray-out.
Please note that the account I am trying to unlock is locked because I see
the "account lockout" option checked.

I run the below from a WInXPSP2 Users & Computers console connected to my
DC1. I go back to the respective OU, Propertiers, Security tab and I
confirm that the "read/write lockouttime" is checked. Still helpdesk folks
can't unlock accounts.

What am I missing here ?

To delegate the right to a group or user: 1. Create the group or user
account that you want to have the right to unlock user accounts in Active
Directory Users and Computers (for example, Help Desk Admins).
2. Right-click the domain in Active Directory Users and Computers, and
then click Delegate Control from the menu that is displayed.
3. The Delegation of Control Wizard should be displayed. On the
Welcome dialog box, click Next.
4. On the Users and Groups dialog box, click Add. Select the group in
the list that you want to give the right to unlock accounts, and then click
OK. On the Users and Groups dialog box, click Next.
5. On the Tasks to Delegate dialog box, click Create a custom task to
delegate, and then click Next.
6. On the Active Directory Object Type dialog box, click Only the
following objects in the folder:. In the list, click User objects (the last
entry in the list), and then click Next.
7. On the Permissions dialog box, click to clear the General check
box, and then click to select the Property-specific check box. In the
Permissions list, click to select the Read lockoutTime check box, click to
select the Write lockoutTime check box, and then click Next.
8. On the Completing the Delegation of Control Wizard dialog box,
click Finish.