Q: Users frequently lock themselves out of our high-security network because of the strict lockout policies and long passwords our security requirements mandate. We want certain trusted users to be able to unlock other user’ accounts, but we don’t want to grant them the authority to reset users' passwords because that would enable them to impersonate those users. I've found permissions for resetting passwords (Set Password), but I can’t find any permissions corresponding to the Account is locked out check box on the Account tab in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. How can I delegate this permission?
A: The property that controls the lockout status of a user account is lockoutTime. Here’s how to delegate write access to this property. In the Active Directory Users and Computers snap-in, open the properties of the organizational unit (OU) that contains the user accounts that you want trusted users to have the authority to unlock. Select the Security tab and click Advanced. Click Add and enter the name of the group whose members are the trusted users and click OK. Then, select the Properties tab on the Permission Entry dialog box. In the Apply onto drop-down menu, select User objects, locate the Write lockoutTime property in the Permissions list, and select the Allow check box. Now, users in the trusted group will be able to open other user accounts in this OU and clear the Account is locked out check box without being able to modify these accounts.
