I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before... but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the error "You do not have the necessary permissions to unlock this account."
Here's what I've done:
- I created a domain local group and added the members who should have the rights. This was created over a week ago, so the users have logged out and in again.
- In ADUC, I've used the Delegate Rights wizard on the OU which contains our user accounts to grant permissions to Read lockoutTime and Writer lockoutTime to the group, per MSKB 279723
- I have double-checked the permissions were applied correctly in ADSIEdit.
- I have forced replication between all domain controllers to ensure the permission changes were copied over.
- The user testing it has logged out and in again to ensure he has any changes applied to his account.
...That covers all the bases I can think of. Anything else I could be missing?
If you are facing problem with admin accounts then it might be related to permissions getting reset every hour basis due to AdminSDHolder
Details
Have you verified the admins in question have not been explicitly denied access to that attribute through membership of another group?
I had a similar problem a few months ago, to resolve the issue I created a new group in AD, add the users in there, then I created a New Domain Group Policy and created a restricted group in the New Domain Policy then I added all of the users who need access to the AD Lockout tool from the new AD group I created to the Restricted group in the new group policy and bingo it worked.
Just make sure that you test this on a test domain first, to make sure you don’t break anything in live.