none
Delegation of Control

    Question

  • I have a domain local group named DL_Password_Resetters. The members of this group is a global group named GG_Users_Password_Resetters. The members of GG_Users_Password_Resetters are required to reset passwords for the domain users and unlock domain user accounts.

    This is how I have implemented it, as described on the ur:https://social.technet.microsoft.com/Forums/msonline/en-US/3f0dbf8e-636b-45fe-93db-f788d5b976fd/allow-help-desk-to-only-reset-user-passwords?forum=winserverManagement

    Task 1: Delegate unlock user account permission

    1.     Create the group or user account that you want to have the right to change password and unlock user accounts in Active Directory Users and Computers (for example, Help Desk Admins).

    2.     Right-click the domain in Active Directory Users and Computers, and then click Delegate Control from the menu that is displayed.

    3.     The Delegation of Control Wizard should be displayed. On the Welcome dialog box, click Next.

    4.     On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts, and then click OK. On the Users and Groups dialog box, click Next.

    5.     On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.

    6.     On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects (the last entry in the list), and then click Next.

    7.     On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, Chick to select the Reset Password and then click Next.

    8.     On the Completing the Delegation of Control Wizard dialog box, click Finish.


    Task 2: Delegate unlock user account permission


    1. In the console of "Active Directory Users and Computers" -> Right the desired OU or Container in the left pane -> Delegate Control…

    2. In the Wizard of Delegate Control… -> Add the desired delegated user account or group of management -> Select "Create a custom task to delegate" -> Choose "Only the following objects in the folder" -> Choose the "User objects" and Check the box of "Create selected object in this folder" -> Next -> Check "Change Password" -> Finish the Wizard.

    However, when I log as a member of the GG_Users_Password_Resetters and attempt to enable a locked user, I receive a message that Windows cannot enable object XXXXX because: Insufficient access rights to perform the operation.

    Where could I be going wrong?

    Wednesday, May 11, 2016 4:02 PM

Answers

  • Hi Kanderendu,

    It is strange.

    If the user has been delegated the permission of read and write lockouttime, the user could lockout an account theoretically and in my test environment.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 20, 2016 6:16 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    I have tested for delegating unlock account permission to user with delegation of control follow those steps which provided by the article below.

    How To Delegate the Unlock Account Right

    https://support.microsoft.com/en-us/kb/294952

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 12, 2016 2:41 AM
    Moderator
  • Thanks Jay;

    I have followed these steps. Then log to the client using one of the usernames of in the delegated group. When I attempt to change the password and unlock a locked user account, the password is changed but the unlocking fails with the message: Windows cannot enable object XXXXX because: Insufficient access rights to perform the operation.

    I have checked that the use account I am attempting to unlock is in the OU where I did the delegation.

    Thursday, May 12, 2016 1:53 PM
  • > the unlocking fails with the message: Windows cannot enable object XXXXX
    > because: Insufficient access rights to perform the operation.
     
    Is the user a member of any protected group?
     
     
    Thursday, May 12, 2016 3:37 PM
  • No, the user is not a member of any protected group. He is just a normal domain user
    Friday, May 13, 2016 4:08 AM
  • Hi Kanderendu,

    I suggest you check if the user, which have been delegated permission to unlock account, has the Read and write lockout time permission on the advance of security tab like below.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 13, 2016 8:23 AM
    Moderator
  • Thanks Jay. I have enabled the as shown below but still giving the same error message

    Friday, May 13, 2016 2:03 PM
  • Even after setting the Readlockouttime and the Writelockouttime, I am still getting the same issue.

    Friday, May 13, 2016 5:28 PM
  • Hi Kanderendu,

    It is strange.

    If the user has been delegated the permission of read and write lockouttime, the user could lockout an account theoretically and in my test environment.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 20, 2016 6:16 AM
    Moderator