Sign in with
Sign up | Sign in
Your question

Can't delegate Unlock right after following KB294952

Last response: in Windows 2000/NT
Share
Anonymous
July 4, 2005 2:33:57 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

After following the steps in this KB and in KB 279723 (how to grant
help-desk access to unlock), The "account locked" switch is still greyed out
when an account is locked and I'm viewing the lock from an account that's
supposed to have this right.

I've hacked dssec.dat on one workstation and on the DC with all the FSMO
roles (including PDC emulator) so that lockoutTime is visible when I try to
delegate control or view permissions on this right. I can use ADSI Edit to
confirm that the groups I've assigned these rights have had them assigned.
Yet "Account Locked" is still unavailable.

I've granted the right to a global group and added users to said group.
I've granted the right to objects within the domain (as opposed to the Users
OU) - isn't it suppose to propagate down to the Users OU?

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc&gt;
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1&gt;
Anonymous
July 12, 2005 6:21:34 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Dump the permissions of the object in question that it isn't working on with
DSACLS and post the results.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Gordon Fecyk wrote:
> After following the steps in this KB and in KB 279723 (how to grant
> help-desk access to unlock), The "account locked" switch is still greyed out
> when an account is locked and I'm viewing the lock from an account that's
> supposed to have this right.
>
> I've hacked dssec.dat on one workstation and on the DC with all the FSMO
> roles (including PDC emulator) so that lockoutTime is visible when I try to
> delegate control or view permissions on this right. I can use ADSI Edit to
> confirm that the groups I've assigned these rights have had them assigned.
> Yet "Account Locked" is still unavailable.
>
> I've granted the right to a global group and added users to said group.
> I've granted the right to objects within the domain (as opposed to the Users
> OU) - isn't it suppose to propagate down to the Users OU?
>
!