Were in the process of configuring our new domain. It’s windows 2008 R2 with both forrest and domain functional levels at Windows 2008R2. I’m trying to delegate permission over an OU for 1st line and 2nd line to have the ability to unlock admin and reset passwords on accounts.
Resetting of passwords works fine and was achieved through the delegation wizard. Unlocking accounts does not appear in the delegation wizards so I have to add it directly on the DACL. I’ve give then:
I know it’s 2000 but the attributes are still used. I also found other documents referecing these attributes on 2008. After setting these the user account still does not have permission to unlock user accounts.