Delegate rights to unlock accounts

G

Guest

I would like to delegate the right to unlock accounts to Helpdesk staff but
cannot find any security option on User objects to do this.

I have seen mention of "Read lockoutTime" and "Write lockoutTime" but cannot
find these properties. The process I have followed is:

1. In Active Directory Users and Computers, right-click the container I want
to delegate and select "Delegate Control..."
2. Choose the group I want to assign these rights to.
3. Select "Choose a custom task to delegate"
4. Choose "Only the following objects in the folder" and select "User Objects"
5. Select "Property-specific" permissions.

This list of permissions does not include "Read lockoutTime" and "Write
lockoutTime".

The list does include "Read userAccountControl" and "Write
userAccountControl" which I believe may hold the flag for lockout status
amongst other things. Would this then be my only option and if so why?

Any help would be greatly appreciated.

Thanks
 
P

Paul Bergson

Go to the ou (Or domain) you want to provide rights to. Right click and
select delegate control, next, add users, next, select Rest user passwords
etc...

This should provide the necessary rights to the uses you added.
 
P

Paul Bergson

Sorry... Disregard

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Guest

Thanks Paul but unfortunately that didn't work. Is this supposed to assign
rights to unlock as well as reset passwords?

When the Helpdesk staff go into AD Users and Computers and locate the
account that is locked, all user properties are grayed out and there is no
check in the "Account Locked" checkbox. When I view this account as a Domain
Admin, I can see the account as locked and obviously have the rights to
uncheck the box.
 
P

ptwilliams

http://support.microsoft.com/?id=294952

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Thanks Paul but unfortunately that didn't work. Is this supposed to assign
rights to unlock as well as reset passwords?

When the Helpdesk staff go into AD Users and Computers and locate the
account that is locked, all user properties are grayed out and there is no
check in the "Account Locked" checkbox. When I view this account as a Domain
Admin, I can see the account as locked and obviously have the rights to
uncheck the box.
 
G

Guest

Thanks to Joe Richards and ptwilliams. I haven't tried it yet but it looks
like this is exactly what I need to do.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out 1
Can't delegate Unlock right after following KB294952 1
trouble with delegating unlock rights 6
Delegate Authority to Unlock Users 2
Delegate Control - locked accounts 2
Delegate Control to create user accounts 6
Delegate Mailbox Rights 6
Delegate control problems 1

Top