No announcement yet.

Delegating additional functions with AD

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegating additional functions with AD

    Hi! Glad to be here at the forums..

    ive been having an issue with trying to delegate the ability to unlock users accounts in a specific OU.

    i created an MMC console that is departmental/OU specific and removed the tool bars and closed the authoring so no changes could be made. i then created an OU with my "supervisors" group there. i joined specific members to the "supervisors" group. i then used the delegation wizard to delegate the ability to reset passwords.

    this worked for that function perfectly. i then tried to add additional permissions to unlock the account. i edited the dssec.dat [user] section and set lockoutTime=0 and saved the file. i then had the functions "Write\ReadLockoutTime" appear as values in the properties... yet when i check them in the permissions they dont seem to be active. when i use the supervisors station to try to unlock an account, it says i dont have the required permissions to do so...

    if i give the supervisors group full control, they can unlock the account without and problem, but the last thing i want to do is give anyone full control to anyone in my network...

    what permissions are nessasary to unlock an account that i am overlooking? like i said, everyother function works (or doesnt) as expected, like they cant delete users or change OU, but they can reset passwords.

    any suggestions would be greatly appreiciated. i spend about 45 minutes every morning unlocking passwords... we have about 24 departments with roughly 450 employees and i can think of a lot more stuff to do besides unlock accounts all morning long. i would like to have the supervisors unlock accounts and reset passwords...

    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: Delegating additional functions with AD

    Not a big fan of the wizard... Have just checked and delegation works fine when using ADUC by "supervisor" account.

    My steps were:

    1) Edit dssec.dat and add LockoutTime=0 under the [user] section
    2) right-click OU which contains the accounts the unlocking of which we want to delegate, and chose Properties.
    3) Go to Security tab (ADUC needs the Advanced Features to be enabled in under the View menu).
    4) Click Advanced button and then Add.
    5) Provide the details of the security group to which you want to delegate the permissions to unlock the accounts in the OU
    6) Click OK and in the dialog that opens go to Properties tab
    7) In the Apply Onto drop down box select "User objects"
    8 ) Check the Read LockoutTime and Write LockoutTime
    9) Acknowledge the dialogs
    10) Go to supervisor's workstation and, if the "supervisors" group has just been created, make him log out and logon to pick the group membership change
    11) Unlock the locked account using ADUC
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Delegating additional functions with AD

      i cant say that im a fan of the wizard either, but i tried it thinking maybe i missed something... but that is how i tried it also. 100% manual first.

      im thinking i have some replication issues or something.. because it isnt working properly for me. i cannnot enable or unlock an account for anything with the delegataed test account.

      thank you for the reply. im gonna go back and try one more time tommorrow after the cache clears and i get some succsesful dcdiags.. we just had some issues with a couple DC in our domain.

      maybe i should note that we have a weird DNS situation... a third party company hosts the DNS for our domain and they wont update A records for us, and i think that affects replication in my domain... but im not sure.

      and also, kerberos auth is disabled.. would that affect anything? i dont think so.. but just want to be thurough...

      thanks again!
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...


      • #4
        Re: Delegating additional functions with AD

        > kerberos auth is disabled..

        How did you do that?


        • #5
          Re: Delegating additional functions with AD

          How did you do that?
          its the last checkbox in the user properties, account info. actually not disabled, but not required. due to the DNS/DHCP situation at my work, it causes authentication problems with network printers.

          and i guess it was an ID-10-T error... i deleted the group and started over.. second time was a charm.

          thanks for the help guys!
          its easier to beg forgiveness than ask permission.
          Give karma where karma is due...