Delegating account unlock rights in AD
Posted
by ewall
on Server Fault
See other posts from Server Fault
or by ewall
Published on 2009-09-25T14:33:52Z
Indexed on
2010/05/03
21:08 UTC
Read the original article
Hit count: 279
I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the error "You do not have the necessary permissions to unlock this account."
Here's what I've done:
- I created a domain local group and added the members who should have the rights. This was created over a week ago, so the users have logged out and in again.
- In ADUC, I've used the Delegate Rights wizard on the OU which contains our user accounts to grant permissions to Read lockoutTime and Writer lockoutTime to the group, per MSKB 279723
- I have double-checked the permissions were applied correctly in ADSIEdit.
- I have forced replication between all domain controllers to ensure the permission changes were copied over.
- The user testing it has logged out and in again to ensure he has any changes applied to his account.
...That covers all the bases I can think of. Anything else I could be missing?
© Server Fault or respective owner