JSI Tip 3914. How can I delegate the right to unlock locked user accounts, in a batch file?

The Dsacls.exe tool can manage access control lists (ACLs) for directory services.

To delegate the right to unlock user accounts in the ouname Organization Unit to the members of the Domain\GroupName security group:

dsacls "ou=ouname,dc=domain,dc=com" /i:s /g "Domain\GroupName":rpwp;lockouttime;user


"ou=ouname,dc=domain,dc=com"                 - The OU to which you want to delegate authority.

/i:s                                         - Permissions are inherited onto child objects only. 

/g "Domain\GroupName":rpwp;lockouttime;user  - Grant Read and Write Permission,
                                               grant permission to the lockoutTime attribute,
                                               grant the permission to user objects only,
                                               to the "Domain\GroupName".
To delegate the authority to members of the Help Desk group over user accounts in the Sales Organization Unit in the prod.jsiinc.com domain (down-level domain name = prod):

dsacls "ou=sales,dc=prod,dc=jsiinc,dc=com" /i:s /g "prod\help desk":rpwp;lockouttime;user

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.