MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.
COURSE of the MONTH
12 days, left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Delegated unlock user account from custom mmc
Posted on 2003-02-20
I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.
next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!
BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.
this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.
and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.
the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...
does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????
this is from the eventviewer from the domain controller:
1st event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696797}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Property
Privileges -
Properties:
---
Account Restrictions
userAccountControl
2nd event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696798}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Self
Privileges -
Properties:
---
Account Restrictions
userAccountControl
I have used this knowledge base article as a starter Q294952.
next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!
BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.
this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.
and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.
the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...
does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????
this is from the eventviewer from the domain controller:
1st event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696797}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Property
Privileges -
Properties:
---
Account Restrictions
userAccountControl
2nd event
__________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz
New Handle ID: -
Operation ID: {0,333696798}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Self
Privileges -
Properties:
---
Account Restrictions
userAccountControl
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
-
2
- +1
7 Comments
You did do the following step:
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[quote]
You did do the following step:
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]
trying to score easy points?
ofcourse i did this as i told in the second line of my question.
You did do the following step:
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]
trying to score easy points?
ofcourse i did this as i told in the second line of my question.
[quote]
Also make sure that the user with those rights has them for the correct OU or domain.
[/quote]
the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
Also make sure that the user with those rights has them for the correct OU or domain.
[/quote]
the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
*trying to score easy points?*
I never assume you did anything, so I'll ask to be sure.
But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.
Mabey someone else will provide your company with free tech support.
I never assume you did anything, so I'll ask to be sure.
But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.
Mabey someone else will provide your company with free tech support.
The property "Account Disabled" (bit) is store in userAccountControl, thus you should allow Read/Write permissions to this property !
omko:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
Featured Post
Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
OfficeMate Freezes on login or does not load after login credentials are input.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen.
Visualize your data! ... really see it
To use the code to create a calendar from a q…
Suggested Courses
Course of the Month12 days, left to enroll
752 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.