Announcement

Collapse
No announcement yet.

Delegate unlock account permissions in Windows 2008 R2 domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegate unlock account permissions in Windows 2008 R2 domain

    All,

    Were in the process of configuring our new domain. It's windows 2008 R2 with both forrest and domain functional levels at Windows 2008R2. I'm trying to delegate permission over an OU for 1st line and 2nd line to have the ability to unlock admin and reset passwords on accounts.

    Resetting of passwords works fine and was achieved through the delegation wizard. Unlocking accounts does not appear in the delegation wizards so I have to add it directly on the DACL. I've give then:

    READ - Allow LockoutTime
    WRITE - Allow LockoutTime

    This was based on the following support article:

    http://support.microsoft.com/kb/279723/en-us

    I know it's 2000 but the attributes are still used. I also found other documents referecing these attributes on 2008. After setting these the user account still does not have permission to unlock user accounts.

    Anyone done this on 2008 R2?

    Michael
    Last edited by m80arm; 13th February 2010, 12:28.
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: Delegate unlock account permissions in Windows 2008 R2 domain

    Will this help?
    http://www.expta.com/2008/09/how-to-...lock-user.html
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Delegate unlock account permissions in Windows 2008 R2 domain

      Cheers Marcel,

      I had actually read that document as well. I managed to resovle it by having to get it working via the delegation wizard rathen then having to edit the DACL directly. Via the wizard you need to ensure you select User accounts before the property's will show up.

      Thanks

      Michael
      Michael Armstrong
      www.m80arm.co.uk
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        Re: Delegate unlock account permissions in Windows 2008 R2 domain

        Ah ok, I wasn't sure you already read this article.
        But since you where talking about the DACL I thought you missed this one since it's describing using the delegation wizard
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment

        Working...
        X