OU Permissions

Jeff · Oct 7, 2004

We have a group that will be using a tool to unlock user
accounts if needed. All the user accounts are located in
various containers under a particular OU. I added the
Group to access the OU but I am not sure what to check off
so that they can basically only unlock a user account.
Thanks.

Tomasz Onyszko · Oct 7, 2004

Jeff said:
We have a group that will be using a tool to unlock user
accounts if needed. All the user accounts are located in
various containers under a particular OU. I added the
Group to access the OU but I am not sure what to check off
so that they can basically only unlock a user account.
Thanks.

Check this KB
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q294952

Jeff · Oct 7, 2004

I actually found this after I posted but it didnt seem to
work. Do I have to refresh the policy even though the
policy is setup on the DC and the access is for the DC?

ptwilliams · Oct 8, 2004

Yep, you'll either need to refresh the policy on the DC, or wait - enough
time has now probably elapsed so this will be OK.

Bear in mind, that DCs apply policy every 5 mins, and send replication
notifications every 5 mins, so this shouldn't be a long wait (intrasite
anyway).

However, if you created a new group, applied the permissions to that group,
and added the users to that group then each user will need to logoff/logon
to get their new and updated access token.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I actually found this after I posted but it didnt seem to
work. Do I have to refresh the policy even though the
policy is setup on the DC and the access is for the DC?

Jeff · Oct 8, 2004

Ok.. This still isnt working. Its telling me access
denied. Basically, its a VB app that allows you to enter
a username and passes this to a .bat file. The .bat file
executes a userinfo command that unlocks the account. I
have Domain Admin rights and tested the tool with no
problems at all so I know the tool itself works. When I
log on as the test user the tool launches and attempts to
execute the .bat file command which it does (I have echo
on and a pause to see what is happening). The next thing
it says is access denied. What else could it be?

Joe Richards [MVP] · Oct 9, 2004

The NetUser commands use the legacy API, they don't work with delegation. You
have to use the LDAP API to do this.

To prove to yourself this works, go download and try my unlock command line tool

http://www.joeware.net/win/free/tools/unlock.htm

joe

Unlock acct permissions	13	Feb 17, 2005
OU Admins?	3	Mar 7, 2005
How to prevent user to see default AD containers?	1	Nov 6, 2006
AD object permissions will not stick...why?	4	May 17, 2004
Custom MMC for OU	2	Apr 21, 2004
Firefox Multi-Account Containers	1	Aug 10, 2021
OU/Container Question Rephrased	2	Mar 24, 2005
Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out	1	Nov 30, 2004

OU Permissions

Jeff

Tomasz Onyszko

Jeff

ptwilliams

Jeff

Joe Richards [MVP]

Ask a Question

Similar Threads