Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 597
  • Last Modified:

Delegated unlock user account from custom mmc

I want to give some users in our organisation the ability to unlock user accounts.
I have used this knowledge base article as a starter Q294952.

next I have constructed a custom mmc where i am able to unlock a user account through the properties of the user.
until so far everything goes fine!

BUT! in the mmc i have created a button "unlock account" which calls a vbs script that unlocks the account.

this script also works fine, but only when the user has full change rights on the userobject he wants to unlock.

and I have only delegated the unlock-right (lockoutTime). and i don't want to give more then the highly neccesary rights.

the vbs script i have created goes wrong on the userobject.SetInfo
i recieve the error that i dont have access...

does annybody know where i have to set rights so that i am also able to unlock the user account with the vbs script???????????

this is from the eventviewer from the domain controller:


1st event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. MirĂ³ [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696797}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Property
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl


2nd event
____________________________________________________
Object Open:
      Object Server:     DS
      Object Type:     user
      Object Name:     CN=Mey\, van der\, M. MirĂ³ [Test],OU=Gebruikers,DC=dz,DC=local
      New Handle ID:     -
      Operation ID:     {0,333696798}
      Process ID:     304
      Primary User Name:     DC12$
      Primary Domain:     DZ
      Primary Logon ID:     (0x0,0x3E7)
      Client User Name:     huizengou
      Client Domain:     DZ
      Client Logon ID:     (0x0,0x13E3CF00)
      Accesses          Write Self
               
      Privileges          -

 Properties:
---
          Account Restrictions
               userAccountControl

 
0
omko
Asked:
omko
1 Solution
 
Ghost_HackerCommented:
You did do the following step:

"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"


0
 
Ghost_HackerCommented:
Also make sure that the user with those rights has them  for the correct OU or domain.
0
 
omkoAuthor Commented:
[quote]
You did do the following step:

"On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next"
[/quote]

trying to score easy points?
ofcourse i did this as i told in the second line of my question.



0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
omkoAuthor Commented:
[quote]
Also make sure that the user with those rights has them  for the correct OU or domain.
[/quote]

the user only had rights on the ou where the user objects are contained. and ofcourse on the users in it.
the user doesnt have rights on the domain.... do you think that would a problem?
0
 
Ghost_HackerCommented:
*trying to score easy points?*


I never assume you did anything, so I'll ask to be sure.

But, hey its YOUR problem not mine buddy. I know how to do my own research to answer my own problems.


Mabey someone else will provide your company with free tech support.
0
 
GunsenCommented:
The property "Account Disabled" (bit) is store in userAccountControl, thus you should allow Read/Write permissions to this property !
0
 
CleanupPingCommented:
omko:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now