Hi Tim
We have some users who were delegated the right to do this. The delegation
wizard will not do it but you can change the security settings on the OU or
domain to allow specific groups / users the right without making them part
of any elevated group.
1. On the Object tab, find Apply onto: click on the down arrow to find
User objects (last entry).
2. In the Permissions: window find Reset Password (2nd from the
bottom), check the Allow box.
3. Click on the Properties tab, find Apply onto: click on the down arrow
to find User objects (last entry).
4. In the Permissions: window check the Allow box for the following 4
permissions. (Permissions are more or less alphabetical, look about 1/3
down the list.)
Read lockoutTime
Write lockoutTime
Read pwdLastSet
Write pwdLastSet
Remark: The user who is given this permission will not be able to unlock
any user that does not have Inherit from parent the permission entries that
apply to child objects checked off under the Security tab in an userâs
properties
This came out of the MS KB article
http://support.microsoft.com/?kbid=294952
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | "Myrick, Todd |
| | (NIH/CC/DNA)" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 02/28/2005 09:30 AM EST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [email protected]
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: RE: [ActiveDir] Unlock Workstation User Right
|
>------------------------------------------------------------------------------------------------------------------------------|
Account Operators Local Group I think. Must us ADU&C, you might have to
grant permissions to the group if inheritance is blocked on some OUâs.
Todd Myrick
From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: [email protected]
Subject: [ActiveDir] Unlock Workstation User Right
I want to grant some users the right to unlock workstations in a W2K3
domain. I have scanned through Group Policy and I canât seem to find the
appropriate setting to do this. Is this a right that is automatically
granted to one of the Built-In groups? If so, which one? It seems
overkill to have to add users to the Administrators group to get this
right.
Thanks in advance for any help the list can give.
Tim
