troubleshooting Question

Delegated unlock user account from custom mmc

Avatar of omko
omko asked on
OS Security
7 Comments1 Solution632 ViewsLast Modified:
I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.

next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!

BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.

this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.

and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.

the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...

does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????

this is from the eventviewer from the domain controller:


1st event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696797}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Property
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl


2nd event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. Miró [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696798}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Self
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl

 
ASKER CERTIFIED SOLUTION
Gunsen

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros