Solved

Active Directory tools for unlock only?

Posted on 2015-02-20
15
140 Views
Last Modified: 2015-02-25
Looking for a recommendation for Active Directory tools we can provide to non IT admin's for unlock only.

Would rather it be a piece of software that sits on a users machine (or server) not a self serve web portal.
0
Comment
Question by:AYR IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621262
What I would recommend is installing the RSAT (Remote Server Admin Tools) on the users workstation and only give them access to unlock user accounts. The below MS KB Article outlines all of the steps.
http://support2.microsoft.com/default.aspx?scid=kb;EN-US;279723

Will.
0
 
LVL 10

Assisted Solution

by:Muhammad Mulla
Muhammad Mulla earned 100 total points
ID: 40621285
You could also delegate permissions from AD to the non-IT users who require it and then install Microsoft lockout tools for them: http://www.microsoft.com/en-gb/download/details.aspx?id=18465
0
 
LVL 26

Accepted Solution

by:
pony10us earned 400 total points
ID: 40621438
I found a script sometime back that we have used.  If you give the user(s) permission in AD to unlock accounts then then try this:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo

If err.number = 0 Then
    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out."
Else
    Wscript.Echo "The Account Unlock was Successful"
End if

Open in new window


Save it as a .VBS on their desktop.  I modified it a little since we only have one domain.  I didn't want it asking all the time.  Just change the line:

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

to

Set UserObj = GetObject("WinNT://<domainname>" &"/"& UserName &"")

and remove the line:

DomainName = InputBox("Enter the domain name in which the user account exists:")

I just found the original link where I found this script:   http://www.datamation.com/entdev/article.php/3083311/UserGroup-Administration-Script-to-Unlock-a-User-Account.htm
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:AYR IT
ID: 40622127
thanks for the comments I'll come back to this and update when we implement the solution
0
 

Author Comment

by:AYR IT
ID: 40626032
I like the script option, works well however I'm having a couple issues..

1: what delegated permissions are necessary? I've followed the MS article below on assigning the rights in AD for unlock only however when the script is run it errors with "Error: access is denied, Code: 80070005, Source: Active Directory" does the user requite elevated local rights for this?

http://support.microsoft.com/kb/294952

2: I can run this script as an admin successfully however it will still pop the "Account unlock failed" even though AD reflects the account successfully unlocked...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626046
The link that i have provided oringinally outlines exactly how to setup users so that they can only Unlock Accounts. There is no need to run this script. In the steps provided in the link above (i provided) just add a group to the permissions you setup. From there anytime you require to add/remove users you just remove or add them to the group you assigned permissions to.

Will.
0
 

Author Comment

by:AYR IT
ID: 40626084
I read the original link however it doesn't seem to outline if the users will require to use AD to access the ability to unlock.

I would prefer something like the script where the users just enter the username and its done. This will be for users who have no reason to go into AD for any reason.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626121
I have been playing with the script and the err.number is returning "0" regardless so it is returning the failure message even if it works.  Basically the script is functioning otherwise.  If I get time I can check into this further however if you know it is working then you can either disregard the message or swap them so it always says successful (you probably want to do this so that it does give some response)
0
 

Author Comment

by:AYR IT
ID: 40626126
It definitely works fine with a user who has domain admin rights however I'm a bit unsure what rights are needed for the users I wish to delegate unlock only to.

I setup a new security group for this, added the users and delegated the "read unlock / write unlock" permissions within AD however the users can not successfully unlock accounts
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626162
A script will do what you want it to do but the permissions still need to be applied "Delegate Control" in order for the script to work. You might want to use the Script over the RSAT's but you still need to delegate control.

Will.
0
 

Author Comment

by:AYR IT
ID: 40626185
I have already delegated the control to these users with "Read lockoutTime and Write lockoutTime"

I do not want these users to utilize active directory to unlock users
0
 

Author Comment

by:AYR IT
ID: 40626471
Looks like I had to give permission to modify user accounts as well (even though they will never see options to do so) the script looks like its working. I added the domain and left the "successful" diag. Will test with the users this week!
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626494
Good to hear.  I will still see if I can get the error checking working properly.  I have been on a call for another network issue all day so may not get to it right away.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626830
I played with the script a little and it now responds properly

Err.Clear()   ' The error is handled now. Remove it

UserName = InputBox("Enter the user's login name that you want to unlock:")

Set UserObj = GetObject("WinNT://<domain>" &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then 

	UserObj.IsAccountLocked = 0
	UserObj.SetInfo

	wscript.Echo "The Account Unlock was Successful"

else

    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out and that you spelled the username properly." 

End if

Open in new window

0
 

Author Comment

by:AYR IT
ID: 40630826
Testing was successful, rolling out today
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question