omko
asked on
Delegated unlock user account from custom mmc
I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.
next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!
BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.
this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.
and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.
the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...
does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????
this is from the eventviewer from the domain controller:
1st event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696797}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Property
Privileges -
Properties:
---
Account Restrictions
userAccountControl
2nd event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696798}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Self
Privileges -
Properties:
---
Account Restrictions
userAccountControl
I have used this knowledge base article as a starter Q294952.
next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!
BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.
this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.
and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.
the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...
does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????
this is from the eventviewer from the domain controller:
1st event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696797}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Property
Privileges -
Properties:
---
Account Restrictions
userAccountControl
2nd event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696798}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Self
Privileges -
Properties:
---
Account Restrictions
userAccountControl
Also make sure that the user with those rights has them for the correct OU or domain.
ASKER
[quote]
You did do the following step:
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]
trying to score easy points?
ofcourse i did this as i told in the second line of my question.
You did do the following step:
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]
trying to score easy points?
ofcourse i did this as i told in the second line of my question.
ASKER
[quote]
Also make sure that the user with those rights has them for the correct OU or domain.
[/quote]
the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
Also make sure that the user with those rights has them for the correct OU or domain.
[/quote]
the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
*trying to score easy points?*
I never assume you did anything, so I'll ask to be sure.
But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.
Mabey someone else will provide your company with free tech support.
I never assume you did anything, so I'll ask to be sure.
But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.
Mabey someone else will provide your company with free tech support.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
omko:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"