In this article, we will go through the steps needed to delegate account unlocks using “Active Directory Users and Computers” console. If you want to delegate account unlocks to a particular user or a group in Active Directory, you will first have to make the right visible in this console.
All the rights attribute that can be made visible in Active Directory Users and Computers are stored in the “%windir%\System32\dssec.dat” file. The rights’ attributes are grouped under headings surrounded by square brackets (for example, [user], [computer] etc.). The value filter for each attribute is:
- 0 – Read and Write is visible
- 1 – Write is visible
- 2 – Read is visible
- 7 – Attribute is hidden
To modify the filter, open dssec.dat file in Notepad. Under the [user] heading, find the lockoutTime attribute. Change the value of the filter to 0 (lockoutTime=0), by default the value is 7. Save the changes and close the file.
Steps for Delegating the Unlock Account Rights
- Open “Active Directory Users and Computers”
- Right-click the Organizational Unit or domain in “Active Directory Users and Computers”. From the context menu, select “Delegate Control”

- “Delegation of Control” wizard opens up. Click Next on the Welcome dialog box to proceed
- Click “Add” to select the user/group to which the right will be assigned. Type the name of user or group you want to add and click “Check Names” button to verify it

This takes you back to the wizard. Click “Next” to go to the next page.
- In this step, you will have to choose the tasks. Select the 2nd radio button, Create a custom task to delegate, and click Next

- Select the 2nd option, which is Only the following objects in the folder. Select User objects in the list, and click Next

- Select the Property-specific checkbox and ensure that only this checkbox is selected
In the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.

- On the Completing the Delegation of Control Wizard dialog box, click Finish to close the wizard
How to Unlock a User’s Account
To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.

How Lepide’s Free Tool Helps with Account Unlocks
In this article, we have gone through the steps by which you can delegate the Account Read lockoutTime and Write lockoutTime right to a user or a group for a given domain or OU. As account policies are domain-specific, this account lockout policy will be implemented in the entire domain. However, this delegation will not affect rights or policies in other domains, even in the domains of the same forest or if this domain is a forest’s root.
Lepide Account Lockout Examiner (Free Tool) can help you to find locked accounts, their source and unlock them.
Instant Account Lockout Detection
Continuously monitor your Active Directory to identify account lockouts as they happen, enabling faster troubleshooting.

Remote Account Unlocking
Effortlessly restore access by unlocking locked user accounts directly through the tool’s interface.

Password Reset Remotely
Conveniently change user passwords from within the tool, with options to enforce password policies.

Investigate – Endpoint Credential Scanning
Examine endpoints for stored credentials like system services, mapped drives, and logon sessions that might trigger lockouts.
