Delegate unlock account permissions in Windows 2008 R2 domain

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 Delegate unlock account permissions in Windows 2008 R2 domain

Viewing 1 post (of 1 total)
  • Author
    Posts

  • m80arm
    Member
    #147511

    All,

    Were in the process of configuring our new domain. It’s windows 2008 R2 with both forrest and domain functional levels at Windows 2008R2. I’m trying to delegate permission over an OU for 1st line and 2nd line to have the ability to unlock admin and reset passwords on accounts.

    Resetting of passwords works fine and was achieved through the delegation wizard. Unlocking accounts does not appear in the delegation wizards so I have to add it directly on the DACL. I’ve give then:

    READ – Allow LockoutTime
    WRITE – Allow LockoutTime

    This was based on the following support article:

    http://support.microsoft.com/kb/279723/en-us

    I know it’s 2000 but the attributes are still used. I also found other documents referecing these attributes on 2008. After setting these the user account still does not have permission to unlock user accounts.

    Anyone done this on 2008 R2?

    Michael

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.