Solved

enable users to unlock their Own AD account

Posted on 2011-02-18
6
1,453 Views
1 Endorsement
Last Modified: 2012-08-13
I wonder if there is a way to give certain users the ability to unlock their own Active Directory accounts without creating a separate domain admins account?

Thanks
1
Comment
Question by:jskfan
6 Comments
 
LVL 5

Accepted Solution

by:
NotVeryFat earned 167 total points
ID: 34924599
Not sure this is possible, because to be able to unlock an account a user has to authenticate against Active Directory. So, even if they have permission, if their account is locked, they won't be authenticated... As a domain admin, if my AD account is locked I have to get someone else to unlock it as I can't access AD...
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 166 total points
ID: 34924601
You can delegate right to global group to which you assign those users and set up "Reset users passwords and force password change at next logon" But they will be able to reset/unlock account also for other users (not only theirs) except domain administrators/enterprise administrators

Regards,
Krzysztof
0
 
LVL 4

Assisted Solution

by:majidhajali
majidhajali earned 167 total points
ID: 34924630
It is not very simple. you need to delegate control for each account, it means you have to apply persmission ( delegate control) for example 300 times.
If you want to get rid of unlocking accounts, the best solution is to delegate the task to one of the helpdesks and delegate this permission to him/her.
0
 

Author Comment

by:jskfan
ID: 34924722
So I can create 2 accounts a user .
Account1 and Account2
and delegate them the right of paasword reset.

would this work even if the Account1 has more privileges in AD than the Account2, for instance Account1 is account operator and Account2 is only domain user?


0
 

Author Comment

by:jskfan
ID: 34950310
in Security tab of a user Object.
Cannot I just add another account to ACL and give this account Full Control over the user object ?

For instance, in the properties of User1 /Security tab. I click add to add User2 and while highlighting User2 in the ACL I check the box Full Control.

Would this allow USER2 to reset password to User1? maybe more privileges?

0
 

Author Closing Comment

by:jskfan
ID: 35107638
thanks
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now