Re: Delegate Account release

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 10/19/03 

Date: Mon, 20 Oct 2003 01:11:49 +0400

My bad, messed this up with account disabled flag. 

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Active Directory
  "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message news:eqgzcSklDHA.2432@TK2MSFTNGP10.phx.gbl...
  This is incorrect.
  The lockout property is an attribute called lockoutTime. The permission to write that value needs to be given.
  Once that delegation is done, you can use the GUI tools or the command line tool UNLOCK to unlock the user accounts. You can find unlock at www.joeware.net on the free win32 tools page. 
  -- 
  Joe Richards 
  www.joeware.net
  --
    "Dmitry Korolyov [MVP]" <d__k@removethispart.mail.ru> wrote in message news:uSZSPbMlDHA.3320@tk2msftngp13.phx.gbl...
    It is a flag in userAccountControl property, and you can delegate write access to that property of user objects. But note that by delegating access to this property you enable to change security-sensitive flags such as store password reversible encryption, password never expires etc - all specified under "account options" on the account tab in user properties in ADUC.
    -- 
    Dmitry Korolyov [d__k@removethispart.mail.ru]
    MVP: Windows Server - Active Directory
      "Tom" <sprdthword@hotmail.com> wrote in message news:uI$B2nxkDHA.2244@TK2MSFTNGP12.phx.gbl...
      Can anyone tell me if there is a way to delegate the permission/authority
      for someone to release locked out accounts?
      We have a school with an average class size in the IT lab of 25+ and we are
      constantly getting students locking themselves out by not typing their
      passwords correctly. I would like to allow the other IT teacher the
      authority to unlock them without giving him either Admin rights or direct
      access to the server. I saw a script somewhere which will do the unlock, but
      the writer mentioned a problem he had in writing the script - and that was
      that the IsAccountLocked is actually not a property but a flag set on the
      fly. So - that means I don't think I can set permissions directly on that
      flag, but can I set them somewhere else?
      Thanks in advance.
      Tom

Relevant Pages

  • RE: 3 MUD Migration Strategy thoughts please
    ... Active Directory Operations Overview ... Once you have decided to implement an in-place upgrade process will go like ... you can install Exchange server and transfer mailbox etc. ... Why Upgrade from Windows NT 4.0 to Windows Server 2003 ...
    (microsoft.public.windows.server.migration)
  • Re: Why do i need to know AD ?
    ... DNS Support for Active Directory Technical Reference ... Is the directory service included in the Windows Server 2000/2003 family. ... controller to interact with domain controllers in the domain running Windows ... used to configure replication between sites. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Forest Setup Question
    ... Deployment Kit, which you can purchase in hard copy form at Amazon (or ... Designing the Active Directory Logical Structure ... Enabling Advanced Windows Server 2003 Active Directory Features ... Deploying the Windows Server 2003 Forest Root Domain ...
    (microsoft.public.windows.server.general)
  • Re: Forest Setup Question
    ... Deployment Kit, which you can purchase in hard copy form at Amazon (or ... Designing the Active Directory Logical Structure ... Enabling Advanced Windows Server 2003 Active Directory Features ... Deploying the Windows Server 2003 Forest Root Domain ...
    (microsoft.public.exchange.misc)
  • Exchange 5.5 to Exchange 2003
    ... I will migrate all to a new Active Directory Domain using the following steps: ... 2.Promote the BDC to the PDC, which demotes the PDC to a BDC. ... 4.Upgrade the new PDC to Windows Server 2003. ...
    (microsoft.public.exchange.setup)