I'm trying to delegate permission to a user to unlock locked accounts.
In Active Directory Users & Computers: for the OU containing all the users, I right-click Delegate Control | pick the person | pick create a custom task to delegate | pick 'user objects | then Pick property-specific | then check "read lockout time" and "write lockout time".
1. Did this destroy previous permissions and replace it with just read & write lockout time?
2. When I run my powershell command, I get a red error: "Unlock-ADAccout: insufficient access rights to perform the operation"
I was following instructions at:
Thanks for any thoughts,
Open in new window
Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.
Can only contain Role Groups
Cannot be members of any groups
Some examples of a built-in Delegation Group
Some examples of a custom Delegation Group
Manage Group Memberships
Role groups should be created based on a specific role that group of people fulfil.
These groups are used to add delegation permissions to via delegation groups. This is done by adding the Role group as a member of the delegation groups for the permissions required.
It is worth noting that this delegation is not limited to AD permissions.
If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the Help Desk Role group.
Can only contain privileged user accounts
Can only be a member of Delegation Groups
Some examples of a Role Group
No delegation against individual user accounts
Reuse of Delegation Groups
Easy to manage
Quick to determine permissions
Uncomplicated to assign correct permissions to an individual based on their function