How to Delegate Rights to Unlock Accounts in Active Directory

Find and Troubleshoot Account Lockouts using Lepide Auditor
Or Deploy With Our Virtual Appliance
3 min read | Updated On - April 04, 2024
In This Article

In this article, we will go through the steps needed to delegate account unlocks using “Active Directory Users and Computers” console. If you want to delegate account unlocks to a particular user or a group in Active Directory, you will first have to make the right visible in this console.

All the rights attribute that can be made visible in Active Directory Users and Computers are stored in the “%windir%\System32\dssec.dat” file. The rights’ attributes are grouped under headings surrounded by square brackets (for example, [user], [computer] etc.). The value filter for each attribute is:

  • 0 – Read and Write is visible
  • 1 – Write is visible
  • 2 – Read is visible
  • 7 – Attribute is hidden

To modify the filter, open dssec.dat file in Notepad. Under the [user] heading, find the lockoutTime attribute. Change the value of the filter to 0 (lockoutTime=0), by default the value is 7. Save the changes and close the file.

Steps for Delegating the Unlock Account Rights

  1. Open “Active Directory Users and Computers”
  1. Right-click the Organizational Unit or domain in “Active Directory Users and Computers”. From the context menu, select “Delegate Control”
Active Directory Users and Computers
  1. “Delegation of Control” wizard opens up. Click Next on the Welcome dialog box to proceed
  1. Click “Add” to select the user/group to which the right will be assigned. Type the name of user or group you want to add and click “Check Names” button to verify it
Click “OK”.

This takes you back to the wizard. Click “Next” to go to the next page.

  1. In this step, you will have to choose the tasks. Select the 2nd radio button, Create a custom task to delegate, and click Next
Delegation of Control wizard
  1. Select the 2nd option, which is Only the following objects in the folder. Select User objects in the list, and click Next
select following objects in the folder
  1. Select the Property-specific checkbox and ensure that only this checkbox is selected

In the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.

  1. On the Completing the Delegation of Control Wizard dialog box, click Finish to close the wizard

How to Unlock a User’s Account

To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.

user accout properties

How Lepide Helps with Account Unlocks

In this article, we have gone through the steps by which you can delegate the Account Read lockoutTime and Write lockoutTime right to a user or a group for a given domain or OU. As account policies are domain-specific, this account lockout policy will be implemented in the entire domain. However, this delegation will not affect rights or policies in other domains, even in the domains of the same forest or if this domain is a forest’s root.

You can also take help of Lepide Active Directory Auditor to find locked accounts, their source and unlock them.

Lepide Account Lockout Report
Try Lepide Active Directory Auditor for free
Or Deploy With Our Virtual Appliance

Find and Troubleshoot Account Lockouts using Lepide Auditor

Or Deploy With Our Virtual Appliance