Delegating account unlock rights in AD

windows-server-2003 active-directory permissions delegation
5,929

Solution 1

If you are facing problem with admin accounts then it might be related to permissions getting reset every hour basis due to AdminSDHolder

Details

Solution 2

Have you verified the admins in question have not been explicitly denied access to that attribute through membership of another group?

Share:
5,929

Related videos on Youtube

ewall
Author by

ewall

Updated on September 17, 2022

Comments

  • ewall
    ewall almost 2 years

    I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the error "You do not have the necessary permissions to unlock this account."

    Here's what I've done:

    • I created a domain local group and added the members who should have the rights. This was created over a week ago, so the users have logged out and in again.
    • In ADUC, I've used the Delegate Rights wizard on the OU which contains our user accounts to grant permissions to Read lockoutTime and Writer lockoutTime to the group, per MSKB 279723
    • I have double-checked the permissions were applied correctly in ADSIEdit.
    • I have forced replication between all domain controllers to ensure the permission changes were copied over.
    • The user testing it has logged out and in again to ensure he has any changes applied to his account.

    ...That covers all the bases I can think of. Anything else I could be missing?

    • Shanmugalakshmi
      Shanmugalakshmi over 14 years
      If possible, can you try to give the user the ADUC MMC and see if they can unlock the account that way? It's possible the LockoutStatus tool is trying to use some other permission that your user doesn't have for whatever reason.
    • ewall
      ewall over 14 years
      That's a good idea, Paul. I'll give it a try sometime...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I grant local administrator rights, but not Domain Administrator Rights?
How can I delegate "Attributes 1-15" in Exchange / AD?
Exact extent / meaning of "Log on as a service" permission (W2K, W2K3)?
Users removing Administrator from files/folders permissions
How can I remove my users from local admin rights with a GPO?
Difference between "Descendant User Objects" and just "User Objects"
How to import a groups members using 'ldifde'?
TF246017 Error when opening TFS Administration Console
Can't Join Computer To Domain - Event 4097 Error Code 384
Lync server 2010 Active Directory Preparation with a Windows Server 2003 DC