How To Delegate the Unlock Account Right
This article was previously published under Q294952
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes the process to delegate the right to unlock locked user accounts to a particular group or user in Active Directory.
To reveal the Unlock Account (lockoutTime) right for the Delegate Control Wizard:
- On the Windows 2000 computer on which you are planning to run the Active Directory Users and Computers console, open the %Systemroot%\System32\Dssec.dat file with Microsoft WordPad.
- On the Edit menu, use the find command to locate [user].
- Under the user section, find the lockoutTime entry. The entries are listed alphabetically.
- Change the value of the lockoutTime entry from lockoutTime=7 to lockoutTime=0.
- On the File menu, click Save As. When the formatting warning message is displayed, click OK. The user rights for Read and Write lockoutTime should be selectable in the Delegate Control Wizard.
- Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).
- Right-click the domain in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed.
- The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.
- On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.
- On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
- On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.
- On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next.
- On the Completing the Delegation of Control Wizard dialog box, click Finish.
This delegation does not affect rights or policies in other domains, even domains in the same forest, or if this domain is the root of a forest.
For more information about account policies in Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:
255550 Configuring Account Policies in Active Directory
817433 Delegated permissions are not available and inheritance is automatically disabled
306398 AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts
232199 Description and Update of the Active Directory AdminSDHolder Object
Article ID: 294952 - Last Review: 12/06/2015 01:51:31 - Revision: 3.3
Microsoft Windows 2000 Server SP1, Microsoft Windows 2000 Server SP2, Microsoft Windows 2000 Advanced Server SP1, Microsoft Windows 2000 Advanced Server SP2, Microsoft Windows 2000 Datacenter Server SP2, Microsoft Windows 2000 Server
- kbnosurvey kbarchive kbhowto KB294952