I'm trying to delegate the rights to unlock user accounts in our Active Directory domain. This should be easy, and I've done it before… but every time the user tries to unlock an account (using the LockoutStatus tool), he gets denied with the error "You do not have the necessary permissions to unlock this account."
Here's what I've done:
- I created a domain local group and added the members who should have the rights. This was created over a week ago, so the users have logged out and in again.
- In ADUC, I've used the Delegate Rights wizard on the OU which contains our user accounts to grant permissions to Read lockoutTime and Writer lockoutTime to the group, per MSKB 279723
- I have double-checked the permissions were applied correctly in ADSIEdit.
- I have forced replication between all domain controllers to ensure the permission changes were copied over.
- The user testing it has logged out and in again to ensure he has any changes applied to his account.
…That covers all the bases I can think of. Anything else I could be missing?
Best Answer
If you are facing problem with admin accounts then it might be related to permissions getting reset every hour basis due to AdminSDHolder
Details