Can Domain user Unlock Domain admin account after Delegation

I have created user group in AD, then I delegated the group to unlock user accounts.
As a test I put one user in domain admins group and type worn password several times to lock him out. I used another user which is member if the group I delegated in order to unlock the account, but it shows greyed out.

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user

Apparently even with delegation domain user will not be able to unlock domain admins account.

Any work around this.?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
All users that are members of protected groups will have their DACLs configured according to the restrictions placed on the groups.

More info:


Excerpt from the second link:
The accounts and groups listed in this table and all members of these groups are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings

So what this boils down to is that the user that unlocks those accounts must also be a domain admin.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
That right,

Also from logical \ security point of view you should not get delegated access anyhow to unlock, reset password of high privileged accounts such as accounts having membership of domain admins.

Since these groups are responsible for managing entire domain, it make sense to keep those groups out of reach of other standard delegated accounts.

In reality to make this happens MS need to do lot of changes in architecture which will introduce security holes in AD and probably destroy the concept of active directory


Why would you need others to unlock that account? The buil-in domain admin "administrator" could be used to unlock others. By default that one will never lock.
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
It doesn't sound like jskfan is talking about the  built-in account, rather members of the Domain Admins group.
jskfanAuthor Commented:
Jeremy Weisinger

I had a question: "Why would you need others to unlock that account?"
Because I thought, if those (the other domain admins, not the built-in ones) lock, another admin could reset them at any time using the built-in administrator. And I saw no reason why any user with delegated permissions would need to unlock a domain admin.

So please answer it, so I can understand. :)
Totally agreed with Mike, as already stated in earlier comment allowing delegated access to standard users to play with high previleged accounts would break AD security model and that is the reason its not allowed by MS

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
@MkKnife Don't get me wrong, I totally agree with you. And of course the built-in account won't be locked. It's just that I believe the goal was to have non-admin users be able to unlock admin accounts.

And of course the answer is that it can't be done.
Jeremy, I tried to ask jskfan something. jskfan, still waiting :)
jskfanAuthor Commented:
because we have users in the operations that work 24/7 , and we want them to be called by domain admins to unlock their accounts instead of domain admins wake each other up to unlock the accounts...
In that case as stated by MIKE earlier, you can use built-in administrator in active directory to logon to directory server and unlock other domain admins account without issue as that account never get locked

jskfanAuthor Commented:
Sorry for the delay…


do you mean I need to add users from operation team to builtin Administrators group in AD , then they will be able to unlock Domain Admins accounts?
NO. Just as "MIKE"=me, McKnife wrote earlier, the account "administrator" is also a domain account and a domain administrator. And that one cannot logout, leaving it free for tasks like unlocking other domain admins. Now clear?
jskfanAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.