Solved

Active Directory tools for unlock only?

Posted on 2015-02-20
15
103 Views
Last Modified: 2015-02-25
Looking for a recommendation for Active Directory tools we can provide to non IT admin's for unlock only.

Would rather it be a piece of software that sits on a users machine (or server) not a self serve web portal.
0
Comment
Question by:Steven Jobs
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621262
What I would recommend is installing the RSAT (Remote Server Admin Tools) on the users workstation and only give them access to unlock user accounts. The below MS KB Article outlines all of the steps.
http://support2.microsoft.com/default.aspx?scid=kb;EN-US;279723

Will.
0
 
LVL 9

Assisted Solution

by:Muhammad Mulla
Muhammad Mulla earned 100 total points
ID: 40621285
You could also delegate permissions from AD to the non-IT users who require it and then install Microsoft lockout tools for them: http://www.microsoft.com/en-gb/download/details.aspx?id=18465
0
 
LVL 26

Accepted Solution

by:
pony10us earned 400 total points
ID: 40621438
I found a script sometime back that we have used.  If you give the user(s) permission in AD to unlock accounts then then try this:

UserName = InputBox("Enter the user's login name that you want to unlock:")

DomainName = InputBox("Enter the domain name in which the user account exists:")

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")
If UserObj.IsAccountLocked = -1 then UserObj.IsAccountLocked = 0
UserObj.SetInfo

If err.number = 0 Then
    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out."
Else
    Wscript.Echo "The Account Unlock was Successful"
End if

Open in new window


Save it as a .VBS on their desktop.  I modified it a little since we only have one domain.  I didn't want it asking all the time.  Just change the line:

Set UserObj = GetObject("WinNT://"& DomainName &"/"& UserName &"")

to

Set UserObj = GetObject("WinNT://<domainname>" &"/"& UserName &"")

and remove the line:

DomainName = InputBox("Enter the domain name in which the user account exists:")

I just found the original link where I found this script:   http://www.datamation.com/entdev/article.php/3083311/UserGroup-Administration-Script-to-Unlock-a-User-Account.htm
0
 

Author Comment

by:Steven Jobs
ID: 40622127
thanks for the comments I'll come back to this and update when we implement the solution
0
 

Author Comment

by:Steven Jobs
ID: 40626032
I like the script option, works well however I'm having a couple issues..

1: what delegated permissions are necessary? I've followed the MS article below on assigning the rights in AD for unlock only however when the script is run it errors with "Error: access is denied, Code: 80070005, Source: Active Directory" does the user requite elevated local rights for this?

http://support.microsoft.com/kb/294952

2: I can run this script as an admin successfully however it will still pop the "Account unlock failed" even though AD reflects the account successfully unlocked...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626046
The link that i have provided oringinally outlines exactly how to setup users so that they can only Unlock Accounts. There is no need to run this script. In the steps provided in the link above (i provided) just add a group to the permissions you setup. From there anytime you require to add/remove users you just remove or add them to the group you assigned permissions to.

Will.
0
 

Author Comment

by:Steven Jobs
ID: 40626084
I read the original link however it doesn't seem to outline if the users will require to use AD to access the ability to unlock.

I would prefer something like the script where the users just enter the username and its done. This will be for users who have no reason to go into AD for any reason.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 26

Expert Comment

by:pony10us
ID: 40626121
I have been playing with the script and the err.number is returning "0" regardless so it is returning the failure message even if it works.  Basically the script is functioning otherwise.  If I get time I can check into this further however if you know it is working then you can either disregard the message or swap them so it always says successful (you probably want to do this so that it does give some response)
0
 

Author Comment

by:Steven Jobs
ID: 40626126
It definitely works fine with a user who has domain admin rights however I'm a bit unsure what rights are needed for the users I wish to delegate unlock only to.

I setup a new security group for this, added the users and delegated the "read unlock / write unlock" permissions within AD however the users can not successfully unlock accounts
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40626162
A script will do what you want it to do but the permissions still need to be applied "Delegate Control" in order for the script to work. You might want to use the Script over the RSAT's but you still need to delegate control.

Will.
0
 

Author Comment

by:Steven Jobs
ID: 40626185
I have already delegated the control to these users with "Read lockoutTime and Write lockoutTime"

I do not want these users to utilize active directory to unlock users
0
 

Author Comment

by:Steven Jobs
ID: 40626471
Looks like I had to give permission to modify user accounts as well (even though they will never see options to do so) the script looks like its working. I added the domain and left the "successful" diag. Will test with the users this week!
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626494
Good to hear.  I will still see if I can get the error checking working properly.  I have been on a call for another network issue all day so may not get to it right away.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40626830
I played with the script a little and it now responds properly

Err.Clear()   ' The error is handled now. Remove it

UserName = InputBox("Enter the user's login name that you want to unlock:")

Set UserObj = GetObject("WinNT://<domain>" &"/"& UserName &"")

If UserObj.IsAccountLocked = -1 then 

	UserObj.IsAccountLocked = 0
	UserObj.SetInfo

	wscript.Echo "The Account Unlock was Successful"

else

    Wscript.Echo "The Account Unlock Failed.  Check that the account is, in fact, locked-out and that you spelled the username properly." 

End if

Open in new window

0
 

Author Comment

by:Steven Jobs
ID: 40630826
Testing was successful, rolling out today
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now