In order to delegate the right to unlock locked user accounts to a user or group in Active Directory, you first need to make the right visible in Active Directory Users and Computers (ADUC).
The %windir%\System32\dssec.dat file contains all the rights attributes that can be exposed in ADUC. These rights attributes are grouped under headings surrounded by square brackets, such as [user] or [computer]. Each attribute is assigned a value (filter) as follows:
0 - Read and Write is exposed
1 - Write is exposed
2 - Read is exposed
7 - Hide the attribute
To modify the filter, open dssec.dat in Notepad. Find the lockoutTime attribute under the [user] heading. Be careful to select the [user] heading, as there's another lockoutTime attribute under [computer]. Change the value of the filter from 7 to 0 (lockoutTime=0) and save the changes.
To delegate the right right to unlock user accounts in ADUC:
- Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
- Click Next on the Welcome dialog
- Click Add to select the user or group and click OK
- Click Next
- Select Create a custom task to delegate and click Next
- Select Only the following objects in the folder. In the list, check User objects and click Next
- Clear the General checkbox and check the Property-specific box
- Check both the Read lockoutTime and Write lockoutTime boxes and press Next
- Click Finish
Note: You only need to edit the dssec.dat file on the computer where you are performing the delegation. You do not need to modify it from any other machine, including the one where the user administration will occur.
Dear Jeff,
ReplyDeletei have checked the DSSEC.DAT file in windows 2008, under [USER]you will found the below list:
[user]
aCSPolicyName=7
adminCount=7
allowedAttributes=7
allowedAttributesEffective=7
allowedChildClasses=7
allowedChildClassesEffective=7
badPasswordTime=7
badPwdCount=7
bridgeheadServerListBL=7
c=7
canonicalName=7
co=7
codePage=7
controlAccessRights=7
countryCode=7
createTimeStamp=7
dBCSPwd=7
defaultClassStore=7
destinationIndicator=7
displayNamePrintable=7
distinguishedName=7
dSASignature=7
dSCorePropagationData=7
dynamicLDAPServer=7
extensionName=7
flags=7
fromEntry=7
frsComputerReferenceBL=7
fRSMemberReferenceBL=7
fSMORoleOwner=7
garbageCollPeriod=7
generationQualifier=7
groupPriority=7
groupsToIgnore=7
instanceType=7
isCriticalSystemObject=7
isDeleted=7
isPrivilegeHolder=7
l=7
lastKnownParent=7
lastLogoff=7
lastLogon=7
legacyExchangeDN=7
lmPwdHistory=7
localeID=7
logonCount=7
mail=7
managedObjects=7
masteredBy=7
maxStorage=7
mhsORAddress=7
modifyTimeStamp=7
mS-DS-ConsistencyChildCount=7
mS-DS-ConsistencyGuid=7
mSMQDigests=7
mSMQDigestsMig=7
mSMQSignCertificates=7
mSMQSignCertificatesMig=7
msNPAllowDialin=7
msNPCallingStationID=7
msRADIUSCallbackNumber=7
msRADIUSFramedIPAddress=7
msRADIUSFramedRoute=7
msRADIUSServiceType=7
netbootSCPBL=7
networkAddress=7
nonSecurityMemberBL=7
ntPwdHistory=7
nTSecurityDescriptor=7
o=7
objectCategory=7
objectClass=7
objectGUID=7
objectVersion=7
operatorCount=7
otherWellKnownObjects=7
ou=7
partialAttributeDeletionList=7
partialAttributeSet=7
physicalDeliveryOfficeName=7
possibleInferiors=7
preferredDeliveryMethod=7
preferredOU=7
primaryGroupID=7
primaryInternationalISDNNumber=7
primaryTelexNumber=7
proxiedObjectName=7
proxyAddresses=7
queryPolicyBL=7
registeredAddress=7
replPropertyMetaData=7
replUpToDateVector=7
repsFrom=7
repsTo=7
revision=7
rid=7
sAMAccountType=7
sDRightsEffective=7
securityIdentifier=7
seeAlso=7
serverReferenceBL=7
servicePrincipalName=7
showInAddressBook=7
showInAdvancedViewOnly=7
sIDHistory=7
siteObjectBL=7
sn=7
st=7
subRefs=7
subSchemaSubEntry=7
supplementalCredentials=7
systemFlags=7
teletexTerminalIdentifier=7
telexNumber=7
terminalServer=7
textEncodedORAddress=7
tokenGroups=7
tokenGroupsNoGCAcceptable=7
unicodePwd=7
url=7
userPassword=7
userSMIMECertificate=7
uSNChanged=7
uSNCreated=7
uSNDSALastObjRemoved=7
USNIntersite=7
uSNLastObjRem=7
uSNSource=7
wbemPath=7
wellKnownObjects=7
whenChanged=7
whenCreated=7
x121Address=7
and i can configure the Delegation to unlock users , what i get in windows 2008 if the attribute is not listed, it will = 0 , so no need to add it, if you are running windows 2000 you need to add it.
Many thanks for this solution, it worked perfect
ReplyDeleteHi Jeff,
ReplyDeleteThanks for this informative post. I have always found delegation to be very useful, especially for helpdesk kind of tasks, such as password resets and account lockout assistance.
One related issue I have seen though is that once we have delegated access, it is not very easy to find out who is delegated what access? Basically, group memberships and complicated ACLing make it a headache to find this out easily.
This seems like a very common issue to as I came across a discussion related to it on one of the forums I occasionally participate in - How to audit delegated administrative access in an Active Directory OU so I thought I would share it with you, in case it helps other fellow readers.
I would also be curious to hear your take on whether you too find it easy or difficult to find out who is delegated what access in the Active Directory, especially for account lockouts and password resets.