Unlocking passwords

[Debra H]

Is there a way to give an ordinary user the ability to
unlock passwords without using the AD Users and Computers
snap in? I would like to assign certain managers this
ability but don't want them to use the snap in. Are there
3rd party tools that can do this?

Thanks
(e-mail address removed)

 

[Simone Fahey]

You could write a simple ADSI script.

 

[Matjaz Ladava [MVP]]

Hi Debra,

First you need to delegate the ability to unlock accounts to your users.
Follow http://support.microsoft.com/default.aspx?scid=kb;en-us;294952 to do
that. Next use script or some kind of utility to unlock the account. The
script for this would be something like this

strDomain = "domainname"
strUsername = "username"

set objUser = GetObject("WinNT://" & strDomain & "/" & strUserName &
",User")
If(Flags And &H0010) Then
objUser.Put "UserFlags", objUser.Get("UserFlags") Xor &H0010
objUser.SetInfo
End If
Set objUser = Nothing

You can learn more about UserFlags in
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144

There is allso a CLI utility for this called Unlock located at
http://www.joeware.net/win32/index.html if you don't like scripting.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Joe Richards [MVP]]

You actually want to delegate WP to the lockoutTime attribute and if you write a script simply punch a zero into that
attribute. I haven't tested it but I think if you try the method below you will still get some errors as the WinNT
provider doesn't really use AD delegation, it uses the NET API calls which usually require Acc Op or Admin access
rights.

If you look at the listing for unlock on my web site you will see a DSACLS command to actually do the delegation as
well.

--
Joe Richards
www.joeware.net

 

[Matjaz Ladava [MVP]]

Of course you are right on this one. I was under impression that WinNT
provider accepts delegation. I should have used objUser.IsAccountLocked =
False, but as you said WinNT provider doesn't work.

Interesting part is, that there is a script located at
http://support.microsoft.com/?id=250873 which suggests that WinNT provider
is a way to go, because LDAP is not functioning. I went and tested what you
said and now I know something more . So

Set objUser = GetObject("LDAP://cn=TestUser,ou=IT Test,dc=nwtraders,
dc=msft")
objUser.Put "lockoutTime",0
objUSer.SetInfo

will work and unlock the account and work according to delegated rights,
where as WinNT provider will return Access denied error.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

You actually want to delegate WP to the lockoutTime attribute and if you

write a script simply punch a zero into that

attribute. I haven't tested it but I think if you try the method below you

will still get some errors as the WinNT

provider doesn't really use AD delegation, it uses the NET API calls which

usually require Acc Op or Admin access

rights.

If you look at the listing for unlock on my web site you will see a DSACLS

command to actually do the delegation as

 

[Joe Richards [MVP]]

Yep!

Anytime you use WinNT calls realize they fall back to the NET API calls documented here

http://msdn.microsoft.com/library/d...mgmt/netmgmt/network_management_functions.asp

LDAP provider calls mostly fall back to LDAP API calls though some of them rely on some of the other new Win32 calls.

--
Joe Richards
www.joeware.net