So you want to delegate permissions to unlock accounts, as well as reset passwords for users in your domain? It’s not as straight forward as it should be.
First, you have to edit %Systemroot%\System32\Dssec.dat to make the property visible.
Open the file in notepad; find the [user] section, and change lockoutTime from 7 to 0. Close and save.
Now open Active Directory Users & Computers:
- Go to properties on the desired OU
- Go to Security-Advanced (you’ll have to switch on Advanced Features in you AD Users & Computers)
- Click Add and select the user/group to delegate to.
- Now, select Properties and then Descendant User Ibjects from the Apply to list
Here’s what you need to check:
That’s it, all good!