Access Denied: Delegating the Right to Unlock User Accounts

As an Administrator, I want to delegate the right to unlock locked user accounts. When I create a custom task, I can delegate many rights, including resetting passwords and setting the read/write expiration date, but how can I delegate the right to unlock locked user accounts?

To unlock locked user accounts, you need write access to the lockoutTime property. However, you're right that lockoutTime doesn't appear in the Permissions dialog box for user accounts. By default, Windows 2000 includes in the Permissions dialog box only a subset of the user account properties available for delegation. Win2K reads the file dssec.dat, which resides in \%systemroot%\system3, to determine which properties will be hidden when it displays the Permissions dialog box. If you look at dssec.dat, you'll see each class of Active Directory (AD) objects identified by the object name in brackets. Under each object's header line, you'll see a list of the object's properties, with =7 following each property. This number tells Win2K to hide that property when you edit permissions for that type of object. To change which properties appear in the Permissions dialog box, search for the \[user\] heading and look under that for the line that states lockoutTime=7. If you change the 7 to some other value, such as 8, lockoutTime will appear in the Permissions dialog box.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.