I need help setting up Active Directory (AD) administrative delegation for my company’s IT Help desk. How do you give Help desk administrators the ability to unlock user accounts and reset user passwords?
To achieve these AD delegation requirements, you must give Help desk administrators the ability to
To delegate these administrative tasks to your Help desk administrators, you need to set the following permissions for the Help desk accounts or group on the organizational unit (OU) for which you want to delegate permissions:
In order to display the pwdLastSet and lockoutTime user account attributes in the advanced view of the AD ACL editor, you must edit the dssec.dat configuration file on the AD domain controller on which you are setting up the delegation. Set the lockoutTime and pwdLastSet attributes' value to 0 (the default value is 7). Figure 1 illustrates this process.
Because the number of different object classes and properties that are stored in AD is relatively big, by default the Advanced View of the ACL editor only displays a subset of the object classes and properties. To change the items displayed in the ACL editor, you can edit the dssec.dat file that is located in the %systemroot%\System32 directory of every domain controller.
The dssec.dat file contains a bracketed entry for every object class. If an object class’s @ value is set to 7, the type is not displayed in the ACL editor. If the value is set to 0, the type is displayed. The same rule is true for the different object properties: If a property’s value is set to 7, the type isn't displayed; 6 means that only the read permission is displayed; 5 means that only the write permission is displayed; and 0 means that both the read and write permissions are displayed for the property. To save the changes you make to dssec.dat, you must close and restart the AD Users and Computers Microsoft Management Console (MMC) snap-in.