AD Administrative Delegation

I need help setting up Active Directory (AD) administrative delegation for my company’s IT Help desk. How do you give Help desk administrators the ability to unlock user accounts and reset user passwords?

To achieve these AD delegation requirements, you must give Help desk administrators the ability to

  • reset an account’s password
  • set the User must change password at next logon account property
  • unlock an account by unchecking the Account is locked out account property

To delegate these administrative tasks to your Help desk administrators, you need to set the following permissions for the Help desk accounts or group on the organizational unit (OU) for which you want to delegate permissions:

  • allow Reset Password permission for user objects—grants permission to reset an account’s password
  • allow Write lockoutTime permission for user objects—grants permission to unlock an account
  • allow Write pwdLastSet permission for user objects—grants permission to set User must change password at next logon account property
  • allow Read AccountRestrictions permission for user objects—grants permission to read all account options

In order to display the pwdLastSet and lockoutTime user account attributes in the advanced view of the AD ACL editor, you must edit the dssec.dat configuration file on the AD domain controller on which you are setting up the delegation. Set the lockoutTime and pwdLastSet attributes' value to 0 (the default value is 7). Figure 1 illustrates this process.

Because the number of different object classes and properties that are stored in AD is relatively big, by default the Advanced View of the ACL editor only displays a subset of the object classes and properties. To change the items displayed in the ACL editor, you can edit the dssec.dat file that is located in the %systemroot%\System32 directory of every domain controller.

The dssec.dat file contains a bracketed entry for every object class. If an object class’s @ value is set to 7, the type is not displayed in the ACL editor. If the value is set to 0, the type is displayed. The same rule is true for the different object properties: If a property’s value is set to 7, the type isn't displayed; 6 means that only the read permission is displayed; 5 means that only the write permission is displayed; and 0 means that both the read and write permissions are displayed for the property. To save the changes you make to dssec.dat, you must close and restart the AD Users and Computers Microsoft Management Console (MMC) snap-in.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish