• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 177
  • Last Modified:

Active Directory tools for unlock only?

Looking for a recommendation for Active Directory tools we can provide to non IT admin's for unlock only.

Would rather it be a piece of software that sits on a users machine (or server) not a self serve web portal.
0
AYR IT
Asked:
AYR IT
  • 7
  • 4
  • 3
  • +1
2 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
What I would recommend is installing the RSAT (Remote Server Admin Tools) on the users workstation and only give them access to unlock user accounts. The below MS KB Article outlines all of the steps.
http://support2.microsoft.com/default.aspx?scid=kb;EN-US;279723

Will.
0
 
Muhammad MullaCommented:
You could also delegate permissions from AD to the non-IT users who require it and then install Microsoft lockout tools for them: http://www.microsoft.com/en-gb/download/details.aspx?id=18465
0
 
pony10usCommented:
I found a script sometime back that we have used.  If you give the user(s) permission in AD to unlock accounts then then try this:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo

If err.number = 0 Then
    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out."
Else
    Wscript.Echo "The Account Unlock was Successful"
End if

Open in new window


Save it as a .VBS on their desktop.  I modified it a little since we only have one domain.  I didn't want it asking all the time.  Just change the line:

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

to

Set UserObj = GetObject("WinNT://<domainname>" &"/"& UserName &"")

and remove the line:

DomainName = InputBox("Enter the domain name in which the user account exists:")

I just found the original link where I found this script:   http://www.datamation.com/entdev/article.php/3083311/UserGroup-Administration-Script-to-Unlock-a-User-Account.htm
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
AYR ITAuthor Commented:
thanks for the comments I'll come back to this and update when we implement the solution
0
 
AYR ITAuthor Commented:
I like the script option, works well however I'm having a couple issues..

1: what delegated permissions are necessary? I've followed the MS article below on assigning the rights in AD for unlock only however when the script is run it errors with "Error: access is denied, Code: 80070005, Source: Active Directory" does the user requite elevated local rights for this?

http://support.microsoft.com/kb/294952

2: I can run this script as an admin successfully however it will still pop the "Account unlock failed" even though AD reflects the account successfully unlocked...
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The link that i have provided oringinally outlines exactly how to setup users so that they can only Unlock Accounts. There is no need to run this script. In the steps provided in the link above (i provided) just add a group to the permissions you setup. From there anytime you require to add/remove users you just remove or add them to the group you assigned permissions to.

Will.
0
 
AYR ITAuthor Commented:
I read the original link however it doesn't seem to outline if the users will require to use AD to access the ability to unlock.

I would prefer something like the script where the users just enter the username and its done. This will be for users who have no reason to go into AD for any reason.
0
 
pony10usCommented:
I have been playing with the script and the err.number is returning "0" regardless so it is returning the failure message even if it works.  Basically the script is functioning otherwise.  If I get time I can check into this further however if you know it is working then you can either disregard the message or swap them so it always says successful (you probably want to do this so that it does give some response)
0
 
AYR ITAuthor Commented:
It definitely works fine with a user who has domain admin rights however I'm a bit unsure what rights are needed for the users I wish to delegate unlock only to.

I setup a new security group for this, added the users and delegated the "read unlock / write unlock" permissions within AD however the users can not successfully unlock accounts
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
A script will do what you want it to do but the permissions still need to be applied "Delegate Control" in order for the script to work. You might want to use the Script over the RSAT's but you still need to delegate control.

Will.
0
 
AYR ITAuthor Commented:
I have already delegated the control to these users with "Read lockoutTime and Write lockoutTime"

I do not want these users to utilize active directory to unlock users
0
 
AYR ITAuthor Commented:
Looks like I had to give permission to modify user accounts as well (even though they will never see options to do so) the script looks like its working. I added the domain and left the "successful" diag. Will test with the users this week!
0
 
pony10usCommented:
Good to hear.  I will still see if I can get the error checking working properly.  I have been on a call for another network issue all day so may not get to it right away.
0
 
pony10usCommented:
I played with the script a little and it now responds properly

Err.Clear()   ' The error is handled now. Remove it

UserName = InputBox("Enter the user's login name that you want to unlock:")

Set UserObj = GetObject("WinNT://<domain>" &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then 

	UserObj.IsAccountLocked = 0
	UserObj.SetInfo

	wscript.Echo "The Account Unlock was Successful"

else

    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out and that you spelled the username properly." 

End if

Open in new window

0
 
AYR ITAuthor Commented:
Testing was successful, rolling out today
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now