Avatar of omko
omko
 asked on

Delegated unlock user account from custom mmc

I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.

next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!

BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.

this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.

and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.

the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...

does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????

this is from the eventviewer from the domain controller:


1st event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696797}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Property
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl


2nd event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696798}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Self
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl

 
OS Security

Avatar of undefined
Last Comment
CleanupPing

8/22/2022 - Mon
Ghost_Hacker

You did do the following step:

"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"


Ghost_Hacker

Also make sure that the user with those rights has them  for the correct OU or domain.
omko

ASKER
[quote]
You did do the following step:

"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]

trying to score easy points?
ofcourse i did this as i told in the second line of my question.



Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
omko

ASKER
[quote]
Also make sure that the user with those rights has them  for the correct OU or domain.
[/quote]

the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
Ghost_Hacker

*trying to score easy points?*


I never assume you did anything, so I'll ask to be sure.

But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.


Mabey someone else will provide your company with free tech support.
ASKER CERTIFIED SOLUTION
Gunsen

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
CleanupPing

omko:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.