Solved

enable users to unlock their Own AD account

Posted on 2011-02-18
6
1,502 Views
1 Endorsement
Last Modified: 2012-08-13
I wonder if there is a way to give certain users the ability to unlock their own Active Directory accounts without creating a separate domain admins account?

Thanks
1
Comment
Question by:jskfan
6 Comments
 
LVL 5

Accepted Solution

by:
NotVeryFat earned 167 total points
ID: 34924599
Not sure this is possible, because to be able to unlock an account a user has to authenticate against Active Directory. So, even if they have permission, if their account is locked, they won't be authenticated... As a domain admin, if my AD account is locked I have to get someone else to unlock it as I can't access AD...
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 166 total points
ID: 34924601
You can delegate right to global group to which you assign those users and set up "Reset users passwords and force password change at next logon" But they will be able to reset/unlock account also for other users (not only theirs) except domain administrators/enterprise administrators

Regards,
Krzysztof
0
 
LVL 4

Assisted Solution

by:majidhajali
majidhajali earned 167 total points
ID: 34924630
It is not very simple. you need to delegate control for each account, it means you have to apply persmission ( delegate control) for example 300 times.
If you want to get rid of unlocking accounts, the best solution is to delegate the task to one of the helpdesks and delegate this permission to him/her.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:jskfan
ID: 34924722
So I can create 2 accounts a user .
Account1 and Account2
and delegate them the right of paasword reset.

would this work even if the Account1 has more privileges in AD than the Account2, for instance Account1 is account operator and Account2 is only domain user?


0
 

Author Comment

by:jskfan
ID: 34950310
in Security tab of a user Object.
Cannot I just add another account to ACL and give this account Full Control over the user object ?

For instance, in the properties of User1 /Security tab. I click add to add User2 and while highlighting User2 in the ACL I check the box Full Control.

Would this allow USER2 to reset password to User1? maybe more privileges?

0
 

Author Closing Comment

by:jskfan
ID: 35107638
thanks
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question