Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to grant help-desk personnel the specific right to unlock locked user accounts
Article ID: 279723 - View products that this article applies to.
This article was previously published under Q279723
This article describes how help-desk supervisors or domain administrators can delegate the right to unlock locked user accounts.
You can use one of the following two methods to accomplish this type of delegation:
Method 1The DSACLS tool (Dsacls.exe) can facilitate the management of access control lists (ACLs) for directory services. DSACLS enables you to query and manipulate security attributes on Active Directory objects. This tool is the command-line equivalent of the Security page on various Active Directory snap-in tools.
You can use DSACLS to delegate the specific permission to unlock a locked account in the Active Directory Users and Computers snap-in. For example, to delegate the permission to unlock user accounts in a certain organizational unit to a security group, use the following command:
dsacls "ou=ouname,dc=domain,dc=com" /I:s /G "domain\group Name":rpwp;lockoutTime;user
For an explanation of what each part of the preceding command means:
"ou=ouname,dc=domain,dc=com": This syntax represents the organizational unit to which you want to delegate authority.
"/i:s": This syntax means that the permission is inherited onto child objects only.
"/g "domain\group name":rpwp;lockouttime;user": This syntax means grant the permission to the Global Security group "Group Name", grant Read permission and Write permission, grant the permission to the lockoutTime attribute, and grant the permission only to user-type objects.
As another example, to delegate authority to the members of the Help Desk security group over user accounts in the Sales organizational unit in the "ad.company.com" domain (down-level domain name = ad), you can use the following command:
dsacls "ou=sales,dc=ad,dc=company,dc=com" /I:s /G "ad\help desk":rpwp;lockoutTime;user
Method 2The ADSIEdit tool (Adsiedit.msc) is a low-level editor of Active Directory. This tool is located on the Windows 2000 CD-ROM in the Support Tools folder. You must select "Typical Install", and then locate the Support Tools folder.
To use the ADSIEdit tool:
296490For more information about the DSACLS tool, refer to the Windows 2000 Support Tools online Help. For additional information about how to reveal an option in the Delegation Wizard, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/296490/ )How to modify the filtered properties of an object
294952For more information about delegation of permissions in Active Directory, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/294952/ )How to delegate the unlock account right
(http://support.microsoft.com/kb/817433/ )Delegated permissions are not available and inheritance is automatically disabled
(http://support.microsoft.com/kb/306398/ )AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts
(http://support.microsoft.com/kb/232199/ )Description and Update of the Active Directory AdminSDHolder Object