enable users to unlock their Own AD account

Posted on 2011-02-18
Medium Priority
1 Endorsement
Last Modified: 2012-08-13
I wonder if there is a way to give certain users the ability to unlock their own Active Directory accounts without creating a separate domain admins account?

Question by:jskfan

Accepted Solution

NotVeryFat earned 668 total points
ID: 34924599
Not sure this is possible, because to be able to unlock an account a user has to authenticate against Active Directory. So, even if they have permission, if their account is locked, they won't be authenticated... As a domain admin, if my AD account is locked I have to get someone else to unlock it as I can't access AD...
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 664 total points
ID: 34924601
You can delegate right to global group to which you assign those users and set up "Reset users passwords and force password change at next logon" But they will be able to reset/unlock account also for other users (not only theirs) except domain administrators/enterprise administrators


Assisted Solution

majidhajali earned 668 total points
ID: 34924630
It is not very simple. you need to delegate control for each account, it means you have to apply persmission ( delegate control) for example 300 times.
If you want to get rid of unlocking accounts, the best solution is to delegate the task to one of the helpdesks and delegate this permission to him/her.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 34924722
So I can create 2 accounts a user .
Account1 and Account2
and delegate them the right of paasword reset.

would this work even if the Account1 has more privileges in AD than the Account2, for instance Account1 is account operator and Account2 is only domain user?


Author Comment

ID: 34950310
in Security tab of a user Object.
Cannot I just add another account to ACL and give this account Full Control over the user object ?

For instance, in the properties of User1 /Security tab. I click add to add User2 and while highlighting User2 in the ACL I check the box Full Control.

Would this allow USER2 to reset password to User1? maybe more privileges?


Author Closing Comment

ID: 35107638

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question