Good Day, We want to delegate a customized task to our Help Desk: the ability to unlock accounts. Working from Tech Net article Q294952 I had to first expose the Read lockoutTime and Write lockoutTime attributes on my admin workstation in order to be able to delegate them from the ADUC Delegation of Control Wizard. (The pertinent parts of that article are pasted below.)
We went one step further while running the Wizard and granted them the ability to Read accountExpires and Write accountExpires (extend Expiration Dates) as well; these attributes, unlike the unlock account ones, were exposed by default. In short everything seemed to work and after testing it we created an MMC for the Help Desk so that they could run ADUC and begin unlocking accounts. Unfortunately only the Expiration Date attribute is available to them on a User's Account tab -- the Unlock Account facility remains grayed-out for all locked accounts. In our initial test both abilities were present, but we're unable to duplicate that result and we've started the process from scratch several times. A call to MS is in process, but the MS Techs we've contacted there haven't been able to offer any help yet. In the meantime I thought to ask the list if anyone has any familiarity with this process. Thanks, Tom Kasmir PS We are aware of the social engineering/security issues involved with granting these rights to Help Desk personnel and are actively training them in order to prevent any misuse. >From Q294952 ------ To reveal the Unlock Account (lockoutTime) right for the Delegate Control Wizard: - On the Windows 2000 computer on which you are planning to run the Active Directory Users and Computers console, open the %Systemroot%\System32\Dssec.dat file with Microsoft WordPad. (My Note: This only affected my machine -- each admin would have to edit this Directory Service Security File on his PC in order to also expose these attributes.) - On the Edit menu, use the find command to locate [user]. - Under the user section, find the lockoutTime entry. The entries are listed alphabetically. - Change the value of the lockoutTime entry from lockoutTime=7 to lockoutTime=0. - On the File menu, click Save As. When the formatting warning message is displayed, click OK. The user rights for Read and Write lockoutTime should be selectable in the Delegate Control Wizard. ----------------------------------------------------- To delegate the right to a group or user: 1. Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins). 2. Right-click the domain in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed. 3. The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next. 4. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next. 5. On the Tasks to Delegate dialog box, click "Create a custom task to delegate", and then click Next. 6. On the "Active Directory Object Type" dialog box, click "Only the following objects in the folder:". In the list, click "User objects" (the last entry in the list), and then click Next. 7. On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the "Read lockoutTime" check box, click to select the "Write lockoutTime" check box, and then click Next. 8. On the "Completing the Delegation of Control Wizard" dialog box, click Finish. ----------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
