The Dsacls.exe tool can manage access control lists (ACLs) for directory services.
To delegate the right to unlock user accounts in the ouname Organization Unit to the members of the Domain\GroupName security group:
dsacls "ou=ouname,dc=domain,dc=com" /i:s /g "Domain\GroupName":rpwp;lockouttime;user
"ou=ouname,dc=domain,dc=com" - The OU to which you want to delegate authority. /i:s - Permissions are inherited onto child objects only. /g "Domain\GroupName":rpwp;lockouttime;user - Grant Read and Write Permission, grant permission to the lockoutTime attribute, grant the permission to user objects only, to the "Domain\GroupName".To delegate the authority to members of the Help Desk group over user accounts in the Sales Organization Unit in the prod.jsiinc.com domain (down-level domain name = prod):
dsacls "ou=sales,dc=prod,dc=jsiinc,dc=com" /i:s /g "prod\help desk":rpwp;lockouttime;user