Solved

Active Directory tools for unlock only?

Posted on 2015-02-20
15
110 Views
Last Modified: 2015-02-25
Looking for a recommendation for Active Directory tools we can provide to non IT admin's for unlock only.

Would rather it be a piece of software that sits on a users machine (or server) not a self serve web portal.
0
Comment
Question by:Steven Jobs
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621262
What I would recommend is installing the RSAT (Remote Server Admin Tools) on the users workstation and only give them access to unlock user accounts. The below MS KB Article outlines all of the steps.
http://support2.microsoft.com/default.aspx?scid=kb;EN-US;279723

Will.
0
 
LVL 10

Assisted Solution

by:Muhammad Mulla
Muhammad Mulla earned 100 total points
ID: 40621285
You could also delegate permissions from AD to the non-IT users who require it and then install Microsoft lockout tools for them: http://www.microsoft.com/en-gb/download/details.aspx?id=18465
0
 
LVL 26

Accepted Solution

by:
pony10us earned 400 total points
ID: 40621438
I found a script sometime back that we have used.  If you give the user(s) permission in AD to unlock accounts then then try this:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo

If err.number = 0 Then
    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out."
Else
    Wscript.Echo "The Account Unlock was Successful"
End if

Open in new window


Save it as a .VBS on their desktop.  I modified it a little since we only have one domain.  I didn't want it asking all the time.  Just change the line:

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

to

Set UserObj = GetObject("WinNT://<domainname>" &"/"& UserName &"")

and remove the line:

DomainName = InputBox("Enter the domain name in which the user account exists:")

I just found the original link where I found this script:   http://www.datamation.com/entdev/article.php/3083311/UserGroup-Administration-Script-to-Unlock-a-User-Account.htm
0
 

Author Comment

by:Steven Jobs
ID: 40622127
thanks for the comments I'll come back to this and update when we implement the solution
0
 

Author Comment

by:Steven Jobs
ID: 40626032
I like the script option, works well however I'm having a couple issues..

1: what delegated permissions are necessary? I've followed the MS article below on assigning the rights in AD for unlock only however when the script is run it errors with "Error: access is denied, Code: 80070005, Source: Active Directory" does the user requite elevated local rights for this?

http://support.microsoft.com/kb/294952

2: I can run this script as an admin successfully however it will still pop the "Account unlock failed" even though AD reflects the account successfully unlocked...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626046
The link that i have provided oringinally outlines exactly how to setup users so that they can only Unlock Accounts. There is no need to run this script. In the steps provided in the link above (i provided) just add a group to the permissions you setup. From there anytime you require to add/remove users you just remove or add them to the group you assigned permissions to.

Will.
0
 

Author Comment

by:Steven Jobs
ID: 40626084
I read the original link however it doesn't seem to outline if the users will require to use AD to access the ability to unlock.

I would prefer something like the script where the users just enter the username and its done. This will be for users who have no reason to go into AD for any reason.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 26

Expert Comment

by:pony10us
ID: 40626121
I have been playing with the script and the err.number is returning "0" regardless so it is returning the failure message even if it works.  Basically the script is functioning otherwise.  If I get time I can check into this further however if you know it is working then you can either disregard the message or swap them so it always says successful (you probably want to do this so that it does give some response)
0
 

Author Comment

by:Steven Jobs
ID: 40626126
It definitely works fine with a user who has domain admin rights however I'm a bit unsure what rights are needed for the users I wish to delegate unlock only to.

I setup a new security group for this, added the users and delegated the "read unlock / write unlock" permissions within AD however the users can not successfully unlock accounts
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626162
A script will do what you want it to do but the permissions still need to be applied "Delegate Control" in order for the script to work. You might want to use the Script over the RSAT's but you still need to delegate control.

Will.
0
 

Author Comment

by:Steven Jobs
ID: 40626185
I have already delegated the control to these users with "Read lockoutTime and Write lockoutTime"

I do not want these users to utilize active directory to unlock users
0
 

Author Comment

by:Steven Jobs
ID: 40626471
Looks like I had to give permission to modify user accounts as well (even though they will never see options to do so) the script looks like its working. I added the domain and left the "successful" diag. Will test with the users this week!
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626494
Good to hear.  I will still see if I can get the error checking working properly.  I have been on a call for another network issue all day so may not get to it right away.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626830
I played with the script a little and it now responds properly

Err.Clear()   ' The error is handled now. Remove it

UserName = InputBox("Enter the user's login name that you want to unlock:")

Set UserObj = GetObject("WinNT://<domain>" &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then 

	UserObj.IsAccountLocked = 0
	UserObj.SetInfo

	wscript.Echo "The Account Unlock was Successful"

else

    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out and that you spelled the username properly." 

End if

Open in new window

0
 

Author Comment

by:Steven Jobs
ID: 40630826
Testing was successful, rolling out today
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now