I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.
next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!
BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.
this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.
and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.
the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...
does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????
this is from the eventviewer from the domain controller:
1st event
____________________________________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
New Handle ID: -
Operation ID: {0,333696797}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Property
Privileges -
Properties:
---
Account Restrictions
userAccountControl
2nd event
____________________________________________________
Object Open:
Object Server: DS
Object Type: user
Object Name: CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
New Handle ID: -
Operation ID: {0,333696798}
Process ID: 304
Primary User Name: DC12$
Primary Domain: DZ
Primary Logon ID: (0x0,0x3E7)
Client User Name: huizengou
Client Domain: DZ
Client Logon ID: (0x0,0x13E3CF00)
Accesses Write Self
Privileges -
Properties:
---
Account Restrictions
userAccountControl
"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"