In "Delegating the Right to Unlock User Accounts," April 2002, InstantDoc ID 24375, you explain how to delegate to a Help desk the right to unlock user accounts. (By default, lockoutTime doesn't appear in a user's ACL, so no way exists to delegate such authority to users without giving them the authority to write to all properties.) You explain that one can edit the dssec.dat file, which Windows 2000 uses to determine which properties to include in the ACLs for Active Directory (AD) objects. You say that any property name with "=7" tells Win2K to leave the property out of ACLs and that changing the "=7" to any other value should make lockoutTime appear in the ACL window. I followed your instructions and edited the dssec.dat file on the domain controller (DC). Under the user section, I changed lockoutTime=7 to lockoutTime=8. But the technique didn't work for me. Why isn't lockoutTime appearing in the ACL window?
You must edit the dssec.dat file on your workstation, not on the DC. When determining which property permissions to display in a user's ACL account or any other AD object, Win2K looks at the dssec.dat file on the workstation on which you're logged on, not the DC.
