In this article, we will go through the steps needed to delegate account unlocks using “Active Directory Users and Computers” console. If you want to delegate account unlocks to a particular user or a group in Active Directory, you will first have to make the right visible in this console.
All the rights attribute that can be made visible in Active Directory Users and Computers are stored in the “%windir%\System32\dssec.dat” file. The rights’ attributes are grouped under headings surrounded by square brackets (for example, [user], [computer] etc.). The value filter for each attribute is:
- 0 – Read and Write is visible
- 1 – Write is visible
- 2 – Read is visible
- 7 – Attribute is hidden
To modify the filter, open dssec.dat file in Notepad. Under the [user] heading, find the lockoutTime attribute. Change the value of the filter to 0 (lockoutTime=0), by default the value is 7. Save the changes and close the file.
For Delegating the Unlock Account Right
- Open “Active Directory Users and Computers”
- Right-click the Organizational Unit or domain in “Active Directory Users and Computers”. From the context menu, select “Delegate Control”
- “Delegation of Control” wizard opens up. Click Next on the Welcome dialog box to proceed
- Click “Add” to select the user/group to which the right will be assigned. Type the name of user or group you want to add and click “Check Names” button to verify it
This takes you back to the wizard. Click “Next” to go to the next page.
- In this step, you will have to choose the tasks. Select the 2nd radio button, Create a custom task to delegate, and click Next
- Select the 2nd option, which is Only the following objects in the folder. Select User objects in the list, and click Next
- Select the Property-specific checkbox and ensure that only this checkbox is selected
In the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.
- On the Completing the Delegation of Control Wizard dialog box, click Finish to close the wizard
Unlocking a User’s Account
To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.
In this article, we have gone through the steps by which you can delegate the Account Read lockoutTime and Write lockoutTime right to a user or a group for a given domain or OU. As account policies are domain-specific, this account lockout policy will be implemented in the entire domain. However, this delegation will not affect rights or policies in other domains, even in the domains of the same forest or if this domain is a forest’s root.
You can also take help of LepideAuditor to unlock the user account and to know what all user accounts would be locked out. Lepide Active Directory Self Service lets you delegate the rights to unlock the user account to other users easily and also allows the users to unlock their account themselves at the logon screen itself.