Delegating account unlock rights in AD

Posted by ewall on Server Fault See other posts from Server Fault or by ewall
Published on 2009-09-25T14:33:52Z Indexed on 2010/05/03 21:08 UTC
Read the original article Hit count: 282

I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the error "You do not have the necessary permissions to unlock this account."

Here's what I've done:

  • I created a domain local group and added the members who should have the rights. This was created over a week ago, so the users have logged out and in again.
  • In ADUC, I've used the Delegate Rights wizard on the OU which contains our user accounts to grant permissions to Read lockoutTime and Writer lockoutTime to the group, per MSKB 279723
  • I have double-checked the permissions were applied correctly in ADSIEdit.
  • I have forced replication between all domain controllers to ensure the permission changes were copied over.
  • The user testing it has logged out and in again to ensure he has any changes applied to his account.

...That covers all the bases I can think of. Anything else I could be missing?

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about active-directory