-----Original Message-----
You can use one of the following two methods to accomplish this type of
delegation:
Method 1
--------
The DSACLS tool (Dsacls.exe) can facilitate the management of access control
lists (ACLs) for directory services. DSACLS enables you to query and
manipulate security attributes on Active Directory objects. This tool is
the command-line equivalent of the Security page on various Active Directory
snap-in tools.
You can use DSACLS to delegate the specific permission to unlock a locked
account in the Active Directory Users and Computers snap- in. For example, to
delegate the permission to unlock user accounts in a certain organizational
unit to a security group, use the following command:
dsacls "ou=ouname,dc=domain,dc=com" /i:s /g "domain\group
Name":rpwp;lockouttime;user
For an explanation of what each part of the preceding command means:
"ou=ouname,dc=domain,dc=com": This syntax represents the organizational
unit to which you want to delegate authority.
"/i:s": This syntax means that the permission is inherited onto child
objects only.
"/g "domain\group name":rpwp;lockouttime;user": This syntax means grant the
permission to the
Global Security group "Group Name", grant Read permission and Write
permission,
grant the permission to the lockoutTime attribute, and grant the permission
only
to user-type objects.
As another example, to delegate authority to the members of the Help Desk
security group over user accounts in the Sales organizational unit in the
"ad.company.com" domain (down-level domain name = ad), you can use the
following command:
dsacls "ou=sales,dc=ad,dc=company,dc=com" /i:s /g "ad\hel p
desk":rpwp;lockouttime;user
Method 2
--------
The ADSIEdit tool (Adsiedit.msc) is a low-level editor of Active Directory.
This tool is located on the Windows 2000 CD-ROM in the Support Tools folder.
You must select "Typical Install", and then locate the Support Tools folder.
To use the ADSIEdit tool:
1. Start the ADSIEdit tool (Adsiedit.msc) from the Windows 2000 Support
Tools folder.
2. Right-click the container or object that you want to grant this
permission to.
3. Click the Security tab.
4. Click Advanced.
5. Click Add, and then specify the user or group that you want to grant
this right to.
6. Click the Properties tab.
7. In the Apply onto: drop-down list, click User objects.
8. Click to select the Allow check box that is beside Read lockoutTime
and Write lockoutTime.
9. Click to select the "Apply these permissions to objects and/or
containers within this container only" check box.
For more information about the DSACLS tool, refer to the Windows 2000
Support Tools online Help.
For additional information about how to reveal an option in the Delegation
Wizard, click the article number below
to view the article in the Microsoft Knowledge Base:
279723 How to Grant Help Desk Personnel the Specific Right to Unlock Locked
http://support.microsoft.com/?id=279723
294952 How To Delegate the Unlock Account Right
http://support.microsoft.com/?id=294952
--
"This posting is provided "AS IS" with no warranties, and confers no
rights."
.
Thank You
