AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of mike2401
mike2401
Flag for United States of America asked on

PS script to unlock user accounts. And: is Delegation destructive?

I'm trying to delegate permission to a user to unlock locked accounts.

In Active Directory Users & Computers:  for the OU containing all the users,  I right-click  Delegate Control | pick the person | pick create a custom task to delegate | pick 'user objects | then Pick property-specific | then check "read lockout time" and "write lockout time".

QUESTIONS:
1.  Did this destroy previous permissions  and replace it with just read & write lockout time?
2.  When I run my powershell command, I get a red error: "Unlock-ADAccout: insufficient access rights to perform the operation"

I was following instructions at:
https://www.lepide.com/how-to/delegate-rights-to-unlock-account.html

Thanks for any thoughts,
Mike
PowershellActive Directory
Avatar of undefined
Last Comment
mike2401
8/22/2022 - Mon
Shaun Vermaak
Look at the custom delegation template in my article. You can add it and then the wizard will be extended. Specifically look at "Reset user passwords and force password change at next logon"

[Version]
signature="$CHICAGO$"

[DelegationTemplates]

Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70
;---------------------------------------------------------
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage user accounts"

ObjectTypes = SCOPE, user

[template1.SCOPE]
user=CC,DC

[template1.user]
@=GA
;---------------------------------------------------------

;---------------------------------------------------------
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset user passwords and force password change at next logon"

ObjectTypes = user

[template2.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all user information"

ObjectTypes = user

[template3.user]
@=RP

;----------------------------------------------------------
[template4]
AppliesToClasses = organizationalUnit,container

Description = "Create, delete and manage groups"

ObjectTypes = SCOPE, group

[template4.SCOPE]
group=CC,DC

[template4.group]
@=GA

;----------------------------------------------------------


;----------------------------------------------------------
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the membership of a group"

ObjectTypes = group

[template5.group]
member=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS

Description = "Join a computer to the domain"

ObjectTypes = SCOPE

[template6.SCOPE]
computer=CC
;----------------------------------------------------------



;----------------------------------------------------------
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site

Description = "Manage Group Policy links"

ObjectTypes = SCOPE

[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP
;----------------------------------------------------------

;---------------------------------------------------------
[template8]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Planning)"

ObjectTypes = SCOPE

[template8.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)"
;----------------------------------------------------------

;---------------------------------------------------------
[template9]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Logging)"

ObjectTypes = SCOPE

[template9.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)"
;----------------------------------------------------------

;---------------------------------------------------------
[template10]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage inetOrgPerson accounts"

ObjectTypes = SCOPE, inetOrgPerson

[template10.SCOPE]
inetOrgPerson=CC,DC

[template10.inetOrgPerson]
@=GA
;---------------------------------------------------------



;---------------------------------------------------------
[template11]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset inetOrgPerson passwords and force password change at next logon"

ObjectTypes = inetOrgPerson

[template11.inetOrgPerson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template12]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all inetOrgPerson information"

ObjectTypes = inetOrgPerson

[template12.inetOrgPerson]
@=RP

;----------------------------------------------------------

;---------------------------------------------------------
[template13]
AppliesToClasses=container

Description = "Create, Delete, and Manage WMI Filters"

ObjectTypes = SCOPE, msWMI-Som

[template13.SCOPE]
msWMI-Som=CC,DC

[template13.msWMI-Som]
@=GA
;----------------------------------------------------------

;---------------------------------------------------------
[template14]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Create an Organizational Unit"

ObjectTypes = SCOPE

[template14.SCOPE]
organizationalUnit=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template15]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Delete a child Organizational Unit"

ObjectTypes = SCOPE

[template15.SCOPE]
organizationalUnit=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template16]
AppliesToClasses=organizationalUnit

Description = "Delete this Organizational Unit"

ObjectTypes = organizationalUnit

[template16.organizationalUnit]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template17]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename an Organizational Unit"

ObjectTypes = organizationalUnit

[template17.organizationalUnit]
ou=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template18]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Description of an Organizational Unit"

ObjectTypes = organizationalUnit

[template18.organizationalUnit]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template19]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Managed-By Information of an Organizational Unit"

ObjectTypes = organizationalUnit

[template19.organizationalUnit]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template20]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delegate Control of an Organizational Unit"

ObjectTypes = organizationalUnit

[template20.organizationalUnit]
@=WD
;----------------------------------------------------------

;---------------------------------------------------------
[template21]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a group"

ObjectTypes = SCOPE

[template21.SCOPE]
group=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template22]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child group"

ObjectTypes = SCOPE

[template22.SCOPE]
group=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template23]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this group"

ObjectTypes = group

[template23.group]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template24]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a group"

ObjectTypes = group

[template24.group]
cn=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template25]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the Pre-Windows 2000 compatible name for the group"

ObjectTypes = group

[template25.group]
sAMAccountName=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template26]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the description of a group"

ObjectTypes = group

[template26.group]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template27]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the scope of the group"

ObjectTypes = group

[template27.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template28]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the type of the group"

ObjectTypes = group

[template28.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template29]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify notes for a group"

ObjectTypes = group

[template29.group]
info=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template30]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify group membership"

ObjectTypes = group

[template30.group]
member=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template31]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By Information of a Group"

ObjectTypes = group

[template31.group]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template32]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a computer account"

ObjectTypes = SCOPE

[template32.SCOPE]
computer=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template33]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child computer account"

ObjectTypes = SCOPE

[template33.SCOPE]
computer=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template34]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this computer account"

ObjectTypes = computer

[template34.computer]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template35]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a computer account"

ObjectTypes = computer

[template35.computer]
@=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template36]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a computer account"

ObjectTypes = computer

[template36.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template37]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a computer account"

ObjectTypes = computer

[template37.computer]
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template38]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computer's description"

ObjectTypes = computer

[template38.computer]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template39]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By information for a computer account"

ObjectTypes = computer

[template39.computer]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template40]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify that a computer account be trusted for delegation"

ObjectTypes = computer

[template40.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template41]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account in disabled state"

ObjectTypes = SCOPE

[template41.SCOPE]
user=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template42]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account"

ObjectTypes = SCOPE , user

[template42.SCOPE]
user=CC

[template42.user]
userAccountControl=WP
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template43]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child user account"

ObjectTypes = SCOPE

[template43.SCOPE]
user=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template44]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this user account"

ObjectTypes = user

[template44.user]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template45]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a user account"

ObjectTypes = user

[template45.user]
cn=WP
name=WP
distinguishedName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template46]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template46.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template47]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Unlock a user account"

ObjectTypes = user

[template47.user]
lockoutTime=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template49]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a user account's password"

ObjectTypes = user

[template49.user]

CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template50]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Force a user account to change the password at the next logon"

ObjectTypes = user

[template50.user]
CONTROLRIGHT= "Reset Password"
userPassword=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template51]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's display name"

ObjectTypes = user

[template51.user]
adminDisplayName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template52]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user account's description"

ObjectTypes = user

[template52.user]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template53]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's office location"

ObjectTypes = user

[template53.user]
physicalDeliveryOfficeName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template54]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's telephone number"

ObjectTypes = user

[template54.user]
telephoneNumber=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template55]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the location of a user's primary web page"

ObjectTypes = user

[template55.user]
wWWHomePage=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template56]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's UPN"

ObjectTypes = user

[template56.user]
userPrincipalName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template57]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's Pre-Windows 2000 user logon name"

ObjectTypes = user

[template57.user]
sAMAccountName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template58]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the hours during which a user can log on"

ObjectTypes = user

[template58.user]
logonHours=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template59]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computers from which a user can log on"

ObjectTypes = user

[template59.user]
userWorkstations=WP
;----------------------------------------------------------

;---------------------------------------------------------
;[template60]
;AppliesToClasses=domainDNS,organizationalUnit,container

;Description = "Set User cannot change password for a user account"

;ObjectTypes = user

;[template60.user]

;CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template61]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Password Never Expires for a user account"

ObjectTypes = user

[template61.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template62]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Store Password Using Reversible Encryption for a user account"

ObjectTypes = user

[template62.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template63]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template63.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template64]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Smart card is required for interactive logon for a user account"

ObjectTypes = user

[template64.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template65]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Account is sensitive and cannot be delegated for a user account"

ObjectTypes = user

[template65.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template66]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Use DES encryption types for this account for a user account"

ObjectTypes = user

[template66.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template67]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Do not require Kerberos pre-authentication for a user account"

ObjectTypes = user

[template67.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template68]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the date when a user account expires"

ObjectTypes = user

[template68.user]
accountExpires=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template69]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a profile path for a user"

ObjectTypes = user

[template69.user]
profilePath=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template70]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a logon script for a user"

ObjectTypes = user

[template70.user]
scriptPath=WP
;----------------------------------------------------------

Open in new window


Delegation Group
Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.

Characteristics
Can only contain Role Groups
Cannot be members of any groups

Some examples of a built-in Delegation Group
Domain Administrators
Account Operators

Some examples of a custom Delegation Group
Password Reset
Manage Group Memberships

Role Group
Role groups should be created based on a specific role that group of people fulfil.
These groups are used to add delegation permissions to via delegation groups. This is done by adding the Role group as a member of the delegation groups for the permissions required.
It is worth noting that this delegation is not limited to AD permissions.

If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the Help Desk Role group.

Characteristics
Can only contain privileged user accounts
Can only be a member of Delegation Groups

Some examples of a Role Group
Help Desk
Server Administrators

Benefits
No delegation against individual user accounts
Reuse of Delegation Groups
Easy to manage
Quick to determine permissions
Uncomplicated to assign correct permissions to an individual based on their function

https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
oBdA
That's strictly additive.
To remove permissions, enable the "Advanced Features" in the "View" menu of the ADUC console, open the properties of the OU, and you'll find the Security tab.
And do not, never, ever "pick the person". Don't delegate to individual accounts. Create a domain local group "AD_UnlockAccount" or whatever, delegate the permission to that group. Create a global role group "Helpdesk" or whatever, add that role group to the AD_UnlockAccount group. Finally, add "the person" to the global group.
What OS are you running on your DCs?
The following article mentions this problem, and even though it only refers to W2kR2/Win7, I can reproduce the exact behavior with Windows Server 2012: delegating LockoutTime works for the ADUC MMC, but not for Unlock-ADAccount.
Unlocking a user account fails when using ADAC or the Unlock-ADAccount cmdlet in Windows 7 or Windows Server 2008 R2 even if sufficient permissions are granted
https://support.microsoft.com/en-us/help/2577917/unlocking-a-user-account-fails-when-using-adac-or-the-unlock-adaccount
Delegating UserAccountControl didn't help, either.
What worked is the workaround described in the article: in the wizard, don't pick "Property specific", but leave the "General" selected, and check "Read and write account restrictions".
mike2401
ASKER
Thanks @oBdA.  I added read and write account restrictions to my userid on my win10 pc, and confirmed the OU's properties indeed refelct that in advanced security.

Nonetheless, I still get:

testit.jpg
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
oBdA
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
mike2401
ASKER
Genius @oBdA  !!!  Simply Genius!!

It's amazing you were able to solve the problem given how little info I included.

On the test ou, I only had the general settings, not the "property-specific" read/write lockout time.

As soon as I added that, BAM! It worked!

Thanks so much!

Truly impressive!

Mike
mike2401
ASKER
Thanks again!!
mike2401
ASKER
How do you give someone an endorsement?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent