trouble with delegating unlock rights

  • Thread starter Thread starter jchildress
  • Start date Start date
J

jchildress

I am trying to delegate account unlock rights as per KB294952 with no
success. When the users review a locked account the unlock box is still
grayed out. I have modified the Dssec.dat file on the workstations
being used and have included a dump from DSACLS on object. Any help
would be appreciated.

Thanks
Joe

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow COFCU\Domain Admins FULL CONTROL
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\User1 FULL CONTROL
<Inherited from parent>
Allow COFCU\User2 FULL CONTROL
<Inherited from parent>
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL CONTROL
<Inherited from parent>
Allow COFCU\COMPUTER7$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL CONTROL
<Inherited from parent>
Allow COFCU\COMPUTER5$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Account Operators SPECIAL ACCESS for
computer
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for
user
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for
group
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Print Operators SPECIAL ACCESS for
printQueue
CREATE CHILD
DELETE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\User1 SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User1 SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User1 SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow COFCU\User2 FULL CONTROL
<Inherited from parent>
Allow COFCU\User1 FULL CONTROL
<Inherited from parent>
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL CONTROL
<Inherited from parent>
Allow COFCU\COMPUTER7$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL CONTROL
<Inherited from parent>
Allow COFCU\COMPUTER5$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\User1 SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User1 SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User1 SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY

Inherited to group
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Logon Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Remote Access Information <Inherited from parent>
READ PROPERTY
Allow COFCU\Help_Desk SPECIAL ACCESS for
lockoutTime <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User3 SPECIAL ACCESS for
lockoutTime <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Help_Desk SPECIAL ACCESS for
lockoutTime
WRITE PROPERTY
READ PROPERTY
Allow COFCU\User3 SPECIAL ACCESS for
lockoutTime
WRITE PROPERTY
READ PROPERTY
The command completed successfully
 
Joe
Thanks for the quick response on this. I downloaded the unlock utility
but help desk users get an insufficient rights when it is run. Seems to
be a perplexing problem. All looks right to me. Any more suggestions?
Joe
 
Allow COFCU\Help_Desk SPECIAL ACCESS for
From that, it shows two ACEs for both Help_Desk and User3 to unlock an account.
I can not tell if that is a dump for a container or for a user. If it is for a
user, user3 or anyone in help_desk that is properly getting the SID in their
token for that group should be able to unlock the account. If it is for a
container, do a dump of the actual user you are having a problem with, it could
be that inheritence is blocked and the permission isn't being applied.

joe
 
Joe
Ok here is a dump of user3 dsacls. user3 and helpdesk are the 2
privileged items.
Thanks again for assistance
Joe

Access list:
Effective Permissions on this object are:
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Enterprise Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
LIST CONTENTS
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
Allow COFCU\user2 FULL CONTROL
<Inherited from parent>
Allow COFCU\user1 FULL CONTROL
<Inherited from parent>
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL CONTROL
<Inherited from parent>
Allow COFCU\CHIT7$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL CONTROL
<Inherited from parent>
Allow COFCU\CHIT5$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
group <Inherited from parent>
CREATE CHILD
DELETE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
user <Inherited from parent>
CREATE CHILD
DELETE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\user1 SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow S-1-5-32-560 SPECIAL ACCESS for
tokenGroupsGlobalAndUniversal
READ PROPERTY
Allow S-1-5-32-561 SPECIAL ACCESS for
terminalServer
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Cert Publishers SPECIAL ACCESS for
userCertificate
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Help_Desk SPECIAL ACCESS for
lockoutTime <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\user3 SPECIAL ACCESS for
lockoutTime <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\user1 SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\user1 SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Remote Access Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
Logon Information <Inherited from parent>
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY
Allow Everyone Change Password
Allow NT AUTHORITY\SELF Change Password

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
LIST CONTENTS
Allow COFCU\user2 FULL CONTROL
<Inherited from parent>
Allow COFCU\user1 FULL CONTROL
<Inherited from parent>
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL CONTROL
<Inherited from parent>
Allow COFCU\CHIT7$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL CONTROL
<Inherited from parent>
Allow COFCU\CHIT5$ FULL CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow COFCU\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
group <Inherited from parent>
CREATE CHILD
DELETE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
user <Inherited from parent>
CREATE CHILD
DELETE CHILD
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\user1 SPECIAL ACCESS for
computer <Inherited from parent>
CREATE CHILD
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\IT Domain Administrators SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\user1 SPECIAL ACCESS for
gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\user1 SPECIAL ACCESS for
gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY

Inherited to group
Allow COFCU\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow COFCU\IT Domain Administrators FULL CONTROL
<Inherited from parent>
The command completed successfully
 
What I see there, user3 and helpdesk should both absolutely be able to unlock
the account. I have seen that delegation hundreds if not thousands of times.

I would log onto a machine with one of the IDs and do a whoami /groups or use my
sectok to find out what SIDs are in the token to verify the issue isn't there
somewhere.
 
I am trying to delegate account unlock rights as per KB294952
with no
success. When the users review a locked account the unlock box
is still
grayed out. I have modified the Dssec.dat file on the
workstations
being used and have included a dump from DSACLS on object. Any
help
would be appreciated.

Thanks
Joe

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITYSYSTEM FULL
CONTROL
Allow COFCUDomain Admins FULL
CONTROL
Allow NT AUTHORITYAuthenticated Users SPECIAL
ACCESS
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow COFCUUser1 FULL
CONTROL
<Inherited from parent>
Allow COFCUUser2 FULL
CONTROL
<Inherited from parent>
Allow COFCUIT Domain Administrators FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL
CONTROL
<Inherited from parent>
Allow COFCUCOMPUTER7$ FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL
CONTROL
<Inherited from parent>
Allow COFCUCOMPUTER5$ FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL
CONTROL
<Inherited from parent>
Allow BUILTINAdministrators SPECIAL
ACCESS
<Inherited from parent>
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow COFCUEnterprise Admins FULL
CONTROL
<Inherited from parent>
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS
<Inherited from parent>
LIST
CONTENTS
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS
<Inherited from parent>
LIST
CONTENTS
Allow BUILTINAccount Operators SPECIAL
ACCESS for
computer
CREATE
CHILD
DELETE
CHILD
Allow BUILTINAccount Operators SPECIAL
ACCESS for
user
CREATE
CHILD
DELETE
CHILD
Allow BUILTINAccount Operators SPECIAL
ACCESS for
group
CREATE
CHILD
DELETE
CHILD
Allow BUILTINPrint Operators SPECIAL
ACCESS for
printQueue
CREATE
CHILD
DELETE
CHILD
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
computer <Inherited from parent>
CREATE
CHILD
Allow COFCUUser1 SPECIAL
ACCESS for
computer <Inherited from parent>
CREATE
CHILD
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
gPOptions <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
gPLink <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser1 SPECIAL
ACCESS for
gPOptions <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser1 SPECIAL
ACCESS for
gPLink <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
Public Information <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
Personal Information <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
groupType <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
displayName <Inherited from parent>
WRITE
PROPERTY

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow COFCUUser2 FULL
CONTROL
<Inherited from parent>
Allow COFCUUser1 FULL
CONTROL
<Inherited from parent>
Allow COFCUIT Domain Administrators FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1394 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1397 FULL
CONTROL
<Inherited from parent>
Allow COFCUCOMPUTER7$ FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1454 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1455 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1476 FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1461 FULL
CONTROL
<Inherited from parent>
Allow COFCUCOMPUTER5$ FULL
CONTROL
<Inherited from parent>
Allow S-1-5-21-1659004503-1220945662-839522115-1390 FULL
CONTROL
<Inherited from parent>
Allow BUILTINAdministrators SPECIAL
ACCESS
<Inherited from parent>
DELETE
READ
PERMISSONS
WRITE
PERMISSIONS
CHANGE
OWNERSHIP
CREATE
CHILD
LIST
CONTENTS
WRITE
SELF
WRITE
PROPERTY
READ
PROPERTY
LIST
OBJECT
CONTROL
ACCESS
Allow COFCUEnterprise Admins FULL
CONTROL
<Inherited from parent>
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS
<Inherited from parent>
LIST
CONTENTS
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS
<Inherited from parent>
LIST
CONTENTS
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
computer <Inherited from parent>
CREATE
CHILD
Allow COFCUUser1 SPECIAL
ACCESS for
computer <Inherited from parent>
CREATE
CHILD
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
gPOptions <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUIT Domain Administrators SPECIAL
ACCESS for
gPLink <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser1 SPECIAL
ACCESS for
gPOptions <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser1 SPECIAL
ACCESS for
gPLink <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
Public Information <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
Personal Information <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
groupType <Inherited from parent>
WRITE
PROPERTY
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS for
displayName <Inherited from parent>
WRITE
PROPERTY

Inherited to group
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS
<Inherited from parent>
READ
PERMISSONS
WRITE
PERMISSIONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Inherited to user
Allow COFCUExchange Enterprise Servers SPECIAL
ACCESS
<Inherited from parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS
<Inherited from parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Inherited to group
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS
<Inherited from parent>
READ
PERMISSONS
LIST
CONTENTS
READ
PROPERTY
LIST
OBJECT
Inherited to user
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS for
Logon Information <Inherited from parent>
READ
PROPERTY
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS for
Account Restrictions <Inherited from parent>
READ
PROPERTY
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS for
Group Membership <Inherited from parent>
READ
PROPERTY
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS for
General Information <Inherited from parent>
READ
PROPERTY
Allow BUILTINPre-Windows 2000 Compatible Access SPECIAL
ACCESS for
Remote Access Information <Inherited from parent>
READ
PROPERTY
Allow COFCUHelp_Desk SPECIAL
ACCESS for
lockoutTime <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser3 SPECIAL
ACCESS for
lockoutTime <Inherited from parent>
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUHelp_Desk SPECIAL
ACCESS for
lockoutTime
WRITE
PROPERTY
READ
PROPERTY
Allow COFCUUser3 SPECIAL
ACCESS for
lockoutTime
WRITE
PROPERTY
READ
PROPERTY
The command completed successfully
Click to expand...

Both http://support.microsoft.com/?id=294952 and
http://support.microsoft.com/?id=279723 should guide you how to do
this. It works for me!
However, why are the SIDs shown instead of the user/group names? Have
those users/groups been deleted?
Maybe a stupid remark, but did you assign the permissions to the
correct OU?

To see if it is correct check the permissions on the OU where you
delegated the permissions.

It should state
Type = ALLOW
Name = <group> or <user>
Permission = Read/Write Property (Read LockOutTime and Write
LockOutTime)
Inherited from = <not inherited>
Apply to = User Objects

The user objects you are trying to unlock should have permission
inheritance enabled
 
Back
Top