How to setup domain administrative delegation to a helpdesk

To grant a helpdesk to reset an account’s password, the User must change password at next logon account property, unlock an account, you may want to delete domain administrative rights to the user. The following example shows how to delegate the Unlock Account Right.

I. At first, you need to reveal the Unlock Account (lockoutTime) right for the Delegate Control Wizard following these steps:

3. Change the value of the lockoutTime entry from lockoutTime=7 to lockoutTime=0.
4. Save it

II. To delegate the right to a group or user, please follow these stpes:
1. Create the group or user account that you want to have the right to unlock user accounts in Active Directory Users and Computers (for example, setup).
2. Right-click the domain in ADUC, and then click Delegate Control from the menu that is displayed.
3. On the Welcome dialog box, click Next.
4. On the Users and Groups dialog box, click Add. Select the group in the list that you want to give the right to unlock accounts (setup in our case), and then click OK. On the Users and Groups dialog box, click Next.
5. On the Tasks to Delegate dialog box, click Create a custom task to delegate, and then click Next.
6. On the Active Directory Object Type dialog box, click Only the following objects in the folder:. In the list, click User objects, and then click Next.
7. On the Permissions dialog box, click to clear the General check box, and then click to select the Property-specific check box. In the Permissions list, click to select the Read lockoutTime check box, click to select the Write lockoutTime check box, and then click Next.
8. On the Completing the Delegation of Control Wizard dialog box, click Finish.

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics