Re: Giving access to a user to unlock accounts (Active Directory)

In Active Directory you can delegate this right to your user. Once you do that, they will be able to right-click on a user in Hyena and choose Account Functions->Unlock Account.

Re: Giving access to a user to unlock accounts (Active Directory)

How do you delegate? If you can explain a little more detailed that'll be great!

Re: Giving access to a user to unlock accounts (Active Directory)

You can't do that part with Hyena. You'll have to use Active Directory Users & Computers. Once you open it you can right-click on your domain object, or a particular OU and choose Delegate Control, then step through the wizard.

Re: Giving access to a user to unlock accounts (Active Directory)

Is this right?

To delegate the right to a group or user: 1. Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).
2. Right-click the domain in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed.
3. The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.
4. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.
5. On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
6. On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.
7. On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next.
8. On the Completing the Delegation of Control Wizard dialog box, click Finish.

Most important, this will ONLY give access to the user to ONLY unlock accounts? they wont be admin right?

Re: Giving access to a user to unlock accounts (Active Directory)

Sounds about right to me.

Re: Giving access to a user to unlock accounts (Active Directory)

You also need to be Account Operator

Re: Giving access to a user to unlock accounts (Active Directory)

You do not have to be an account operator to unlock accounts. My helpdesk has this right and they are not account operators.
I have found the delegate wizzard seems to leave one thing out.
Try this, open dsa.msc and right click the OU you want. Select properties and add the group/user you want. Now click advanced, highlight the user and select edit. The new window that pops up will have two tabs, select the properties tab, then the group name on the top, then in the field that says <span style="font-weight: bold">Apply onto</span> should say <span style="font-weight: bold">user objects</span>. Scroll down and find the setting that says <span style="font-weight: bold">Write lockout Time</span>.

Note: that there may be other checks on your user you assigned. Everyone is different but I just showed you how to enable some one the ability to unlock user accounts.

[This message has been edited by Trammel (edited 02-01-2006).]