Solved

What security level do you need to unlock AD accounts

Posted on 2015-02-24
3
284 Views
Last Modified: 2015-03-11
Hi,

We have a Jr. Network Engineer who we want to allow to be able to unlock AD accounts without being a domain admin which led us to wonder what security level would they need to be to complete the task?
0
Comment
Question by:GR JN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 500 total points
ID: 40629497
there is no default group apart from domain admin and enterprise admins which does that

you will need to create new group and customize security on it using dsacls

or easier using adsiedit

http://support.microsoft.com/kb/279723

Method 1

The DSACLS tool (Dsacls.exe) can facilitate the management of access control lists (ACLs) for directory services. DSACLS enables you to query and manipulate security attributes on Active Directory objects. This tool is the command-line equivalent of the Security page on various Active Directory snap-in tools.

You can use DSACLS to delegate the specific permission to unlock a locked account in the Active Directory Users and Computers snap-in. For example, to delegate the permission to unlock user accounts in a certain organizational unit to a security group, use the following command:

dsacls "ou=ouname,dc=domain,dc=com" /I:s /G "domain\group Name":rpwp;lockoutTime;user

For an explanation of what each part of the preceding command means:

"ou=ouname,dc=domain,dc=com": This syntax represents the organizational unit to which you want to delegate authority.

"/i:s": This syntax means that the permission is inherited onto child objects only.

"/g "domain\group name":rpwp;lockouttime;user": This syntax means grant the permission to the Global Security group "Group Name", grant Read permission and Write permission, grant the permission to the lockoutTime attribute, and grant the permission only to user-type objects.

As another example, to delegate authority to the members of the Help Desk security group over user accounts in the Sales organizational unit in the "ad.company.com" domain (down-level domain name = ad), you can use the following command:

dsacls "ou=sales,dc=ad,dc=company,dc=com" /I:s /G "ad\help desk":rpwp;lockoutTime;user
Method 2

The ADSIEdit tool (Adsiedit.msc) is a low-level editor of Active Directory. This tool is located on the Windows 2000 CD-ROM in the Support Tools folder. You must select "Typical Install", and then locate the Support Tools folder.

To use the ADSIEdit tool:
Start the ADSIEdit tool (Adsiedit.msc) from the Windows 2000 Support Tools folder.
Right-click the container or object that you want to grant this permission to.
Click the Security tab.
Click Advanced.
Click Add, and then specify the user or group that you want to grant this right to.
Click the Properties tab.
In the Apply onto: drop-down list, click User objects.
Click to select the Allow check box that is beside Read lockoutTime and Write lockoutTime.
Click to select the Apply these permissions to objects and/or containers within this container only check box.
Note After you modify permissions for a given user, the modified permissions are not exposed in Active Directory Users and Computer in Windows 2000. However, the permissions are exposed in Windows Server 2003. To expose these properties on a Windows 2000 system, modify the DSSEC.DAT file. Set Read Lockout Time and Write Lockout Time =0 in the [USER] Section. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
0
 
LVL 4

Expert Comment

by:szichen
ID: 40629880
In active Directory, right-click the OU and delegate permission to the person you want to manage the account. You may need to give them permission to manage the account for them to be able to unlock the account.
Install the RSAT tool on the user machine so they can access AD.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADFS Setup 4 43
Change local account password via GPO? 34 72
Changing logon server question 5 68
Automate and generate Azure reports for the following items 3 46
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question