enable users to unlock their Own AD account

I wonder if there is a way to give certain users the ability to unlock their own Active Directory accounts without creating a separate domain admins account?

Thanks
jskfanAsked:
Who is Participating?
 
NotVeryFatConnect With a Mentor Commented:
Not sure this is possible, because to be able to unlock an account a user has to authenticate against Active Directory. So, even if they have permission, if their account is locked, they won't be authenticated... As a domain admin, if my AD account is locked I have to get someone else to unlock it as I can't access AD...
0
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
You can delegate right to global group to which you assign those users and set up "Reset users passwords and force password change at next logon" But they will be able to reset/unlock account also for other users (not only theirs) except domain administrators/enterprise administrators

Regards,
Krzysztof
0
 
majidhajaliConnect With a Mentor Commented:
It is not very simple. you need to delegate control for each account, it means you have to apply persmission ( delegate control) for example 300 times.
If you want to get rid of unlocking accounts, the best solution is to delegate the task to one of the helpdesks and delegate this permission to him/her.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
jskfanAuthor Commented:
So I can create 2 accounts a user .
Account1 and Account2
and delegate them the right of paasword reset.

would this work even if the Account1 has more privileges in AD than the Account2, for instance Account1 is account operator and Account2 is only domain user?


0
 
jskfanAuthor Commented:
in Security tab of a user Object.
Cannot I just add another account to ACL and give this account Full Control over the user object ?

For instance, in the properties of User1 /Security tab. I click add to add User2 and while highlighting User2 in the ACL I check the box Full Control.

Would this allow USER2 to reset password to User1? maybe more privileges?

0
 
jskfanAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.