Q: How can I delegate the right to unlock locked Active Directory (AD) user accounts?

A: To delegate the right to unlock locked user accounts to a user or group in AD, you must modify the permissions to read and write the lockoutTime AD user object attribute.

To let administrators change these two permissions in AD, you must first make sure that the read and write permissions are visible in the advanced ACL editor that you can access from the Active Directory Users and Computers (ADUC) MMC snap-in. In Windows 2000, both permissions are hidden from ADUC by default. In Windows Server 2003 and Windows Server 2008, they show up in the ADUC’s advanced ACL editor, shown here.

The attribute permissions that are displayed in ADUC’s ACL editor can be controlled using the dssec.dat configuration file, which is stored in the %windir%\System32 directory. In dssec.dat, each object attribute can be assigned one of the following values:

• 7 : do not include the property in the ACL editor
• 2 : include only the “Read” property in the ACL editor
• 1 : include only the “Write” property in the ACL editor
• 0 : include both the “Read” and “Write” property in the ACL editor

If an attribute isn't listed in the dssec.dat file, it will show up in the ACL editor. In Windows Server 2003 and Windows 2008, lockoutTime is by default not included in the dssec.dat file, so it shows up in the ACL editor.

Dssec.dat uses an ini file data format to list the properties of each object class that should be filtered out of the list in the Properties section of the ACL Editor. The file is structured as follows:

[objectclass-name1]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

[objectclass-name2]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

where objectclass-nameX refers to the AD schema object class for which the visibility in the ACL editor should be controlled and attribute-nameX to the attribute. The "@" placeholder controls the visibility of the object itself.

To modify the filter for the lockoutTime attribute in Windows 2000, open dssec.dat in Notepad. You can find the lockoutTime attribute under the [user] heading. You must reset the value for the lockoutTime attribute from 7 to 0 then save the changes to the dssec.dat file.

Note that you only need to edit the dssec.dat file on the Windows 2000 computer where you set up the actual delegation. Also, keep in mind that the dssec.dat file is read only when an administrator opens ADUC. This means that changes you make to dssec.dat won’t take effect until you close and reopen ADUC.

To delegate the right to unlock user accounts on the OU or domain level in ADUC, you can modify the permissions for the lockoutTime attribute directly in the ACL editor or use the AD delegation wizard. In the latter case, you must perform the following steps.

1. Right-click the OU or domain in ADUC and select Delegate Control... from the context menu.
2. Click Next in the Welcome dialog.
3. Click Add... to select the user or group to which you want to delegate control and click OK.
4. Click Next.
5. Select Create a custom task to delegate and click Next.
6. Select Only the following objects in the folder then, in the list, check User objects and click Next.
7. Clear the General checkbox and check the Property-specific box.
8. Check both the Read lockoutTime and Write lockoutTime boxes and clicks Next.
9. Click Finish.

• Q: Can two Active Directory (AD) accounts have identical SIDs? If so, how can I remove the duplicate account?
• Identity and Security: Microsoft’s Next Generation
• Active Directory Enhancements: OR What Would Elvis Do?
• More Active Directory articles