In this article, we will go through the steps needed to delegate account unlocks using “Active Directory Users and Computers” console. If you want to delegate account unlocks to a particular user or a group in Active Directory, you will first have to make the right visible in this console.
All the rights attribute that can be made visible in Active Directory Users and Computers are stored in the “%windir%\System32\dssec.dat” file. The rights’ attributes are grouped under headings surrounded by square brackets (for example, [user], [computer] etc.). The value filter for each attribute is:
- 0 - Read and Write is visible
- 1 - Write is visible
- 2 - Read is visible
- 7 – Attribute is hidden
To modify the filter, open dssec.dat file in Notepad. Under the [user] heading, find the lockoutTime attribute. Change the value of the filter to 0 (lockoutTime=0), by default the value is 7. Save the changes and close the file.
For delegating the unlock account right
This takes you back to the wizard. Click “Next” to go to the next page.
In the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.
Unlocking a user’s account
To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.
In this article, we have gone through the steps by which you can delegate the Account Read lockoutTime and Write lockoutTime right to a user or a group for a given domain or OU. As account policies are domain-specific, this account lockout policy will be implemented in the entire domain. However, this delegation will not affect rights or policies in other domains, even in the domains of the same forest or if this domain is a forest’s root.
You can also take help of LepideAuditor to unlock the user account and to know what all user accounts would be locked out. Lepide Active Directory Self Service lets you delegate the rights to unlock the user account to other users easily and also allows the users to unlock their account themselves at the logon screen itself.
- How to identify the source of Account Lockouts in Active Directory
- How to Audit Successful Logon/Logoff and Failed Logons in Active Directory
- How to enable the Security Auditing of Active Directory
- How to track changes made in Active Directory
- How to delegate rights to “Unlock account”
- How to track Privileged Users' Activities in Active Directory