So you want to delegate permissions to unlock accounts, as well as reset passwords for users in your domain? It’s not as straight forward as it should be.
First, you have to edit %Systemroot%\System32\Dssec.dat to make the property visible.
Open the file in notepad; find the [user] section, and change lockoutTime from 7 to 0. Close and save.
Now open Active Directory Users & Computers:
- Go to properties on the desired OU
- Go to Security-Advanced (you’ll have to switch on Advanced Features in you AD Users & Computers)
- Click Add and select the user/group to delegate to.
- Now, select Properties and then Descendant User Ibjects from the Apply to list
Here’s what you need to check:
Read accountExpires
Read lockoutTime
Write LockoutTime
Reset Password
Read pwdlastSet
Write pwdLastSet
That’s it, all good!
Hi Kristoffer, good post! Just thought I would add that sometimes the attributes we wish to give permisssions for are not in the UI, so we need to tweak dssec.dat for that.
I also found a helpful post on How to modify dssec.dat to get the ACL Editor to display specific attributes which explains exactly how to do this.
Once dsesec.dat has been modified, the attributes can easily be modified in the UI.