JSI Tip 3746. How can I delegate the unlock account right?

To delegate the right to unlock locked user accounts to a user or group in Active Directory, you must first make the right visible.

The %Systemroot%\System32\Dssec.dat file contains filters that control whether a right is revealed, and can be written. Open Dssec.dat in Notepad and find \[User\]. Within \[User\], the lockoutTime entry is listed alphabetically. Change the mask from 7 to 0, yielding lockoutTime=0.

NOTE: The mask values appears to be:

0 - Read and Write of property unfiltered
1 - Read of property filtered
2 - Write of property filtered
7 - Filter out property.
Save the change.

To delegate the right:

1. Right-click the domain in Active Directory Users and Computers and press Delegate Control from the context menu.

2. Press Next on the Welcome.... dialog.

3. Press Add and select the user or group.

4. Press OK and Next.

5. Select Create a custom task to delegate and press Next.

6. Select Only the following objects in the folder:. In the list, press User objects and Next.

7. Clear the General selection and select the Property-specific box.

8. Select both the Read lockoutTime and Write lockoutTime boxes and press Next.

9. Press Finish.

NOTE: These rights are domain specific and can NOT be assigned to an OU.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.