Solved

Active Directory tools for unlock only?

Posted on 2015-02-20
15
128 Views
Last Modified: 2015-02-25
Looking for a recommendation for Active Directory tools we can provide to non IT admin's for unlock only.

Would rather it be a piece of software that sits on a users machine (or server) not a self serve web portal.
0
Comment
Question by:AYR IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621262
What I would recommend is installing the RSAT (Remote Server Admin Tools) on the users workstation and only give them access to unlock user accounts. The below MS KB Article outlines all of the steps.
http://support2.microsoft.com/default.aspx?scid=kb;EN-US;279723

Will.
0
 
LVL 10

Assisted Solution

by:Muhammad Mulla
Muhammad Mulla earned 100 total points
ID: 40621285
You could also delegate permissions from AD to the non-IT users who require it and then install Microsoft lockout tools for them: http://www.microsoft.com/en-gb/download/details.aspx?id=18465
0
 
LVL 26

Accepted Solution

by:
pony10us earned 400 total points
ID: 40621438
I found a script sometime back that we have used.  If you give the user(s) permission in AD to unlock accounts then then try this:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo

If err.number = 0 Then
    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out."
Else
    Wscript.Echo "The Account Unlock was Successful"
End if

Open in new window


Save it as a .VBS on their desktop.  I modified it a little since we only have one domain.  I didn't want it asking all the time.  Just change the line:

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

to

Set UserObj = GetObject("WinNT://<domainname>" &"/"& UserName &"")

and remove the line:

DomainName = InputBox("Enter the domain name in which the user account exists:")

I just found the original link where I found this script:   http://www.datamation.com/entdev/article.php/3083311/UserGroup-Administration-Script-to-Unlock-a-User-Account.htm
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:AYR IT
ID: 40622127
thanks for the comments I'll come back to this and update when we implement the solution
0
 

Author Comment

by:AYR IT
ID: 40626032
I like the script option, works well however I'm having a couple issues..

1: what delegated permissions are necessary? I've followed the MS article below on assigning the rights in AD for unlock only however when the script is run it errors with "Error: access is denied, Code: 80070005, Source: Active Directory" does the user requite elevated local rights for this?

http://support.microsoft.com/kb/294952

2: I can run this script as an admin successfully however it will still pop the "Account unlock failed" even though AD reflects the account successfully unlocked...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626046
The link that i have provided oringinally outlines exactly how to setup users so that they can only Unlock Accounts. There is no need to run this script. In the steps provided in the link above (i provided) just add a group to the permissions you setup. From there anytime you require to add/remove users you just remove or add them to the group you assigned permissions to.

Will.
0
 

Author Comment

by:AYR IT
ID: 40626084
I read the original link however it doesn't seem to outline if the users will require to use AD to access the ability to unlock.

I would prefer something like the script where the users just enter the username and its done. This will be for users who have no reason to go into AD for any reason.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626121
I have been playing with the script and the err.number is returning "0" regardless so it is returning the failure message even if it works.  Basically the script is functioning otherwise.  If I get time I can check into this further however if you know it is working then you can either disregard the message or swap them so it always says successful (you probably want to do this so that it does give some response)
0
 

Author Comment

by:AYR IT
ID: 40626126
It definitely works fine with a user who has domain admin rights however I'm a bit unsure what rights are needed for the users I wish to delegate unlock only to.

I setup a new security group for this, added the users and delegated the "read unlock / write unlock" permissions within AD however the users can not successfully unlock accounts
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626162
A script will do what you want it to do but the permissions still need to be applied "Delegate Control" in order for the script to work. You might want to use the Script over the RSAT's but you still need to delegate control.

Will.
0
 

Author Comment

by:AYR IT
ID: 40626185
I have already delegated the control to these users with "Read lockoutTime and Write lockoutTime"

I do not want these users to utilize active directory to unlock users
0
 

Author Comment

by:AYR IT
ID: 40626471
Looks like I had to give permission to modify user accounts as well (even though they will never see options to do so) the script looks like its working. I added the domain and left the "successful" diag. Will test with the users this week!
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626494
Good to hear.  I will still see if I can get the error checking working properly.  I have been on a call for another network issue all day so may not get to it right away.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626830
I played with the script a little and it now responds properly

Err.Clear()   ' The error is handled now. Remove it

UserName = InputBox("Enter the user's login name that you want to unlock:")

Set UserObj = GetObject("WinNT://<domain>" &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then 

	UserObj.IsAccountLocked = 0
	UserObj.SetInfo

	wscript.Echo "The Account Unlock was Successful"

else

    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out and that you spelled the username properly." 

End if

Open in new window

0
 

Author Comment

by:AYR IT
ID: 40630826
Testing was successful, rolling out today
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LDAPS Server 2012 R2 Error 0 6 60
Windows 2012 R2 DNS ListenAddresses Null Value 4 32
GPO on certain users 17 37
Configuring DNS Round Robin in Windows DNS server ? 8 73
In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question