How to Delegate Rights to Unlock Accounts in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Delegate Rights to Unlock Accounts in Active Directory

2. Steps for Delegating the Unlock Account Rights

1. Open “Active Directory Users and Computers”

2. Right-click the Organizational Unit or domain in “Active Directory Users and Computers”. From the context menu, select “Delegate Control”

3. “Delegation of Control” wizard opens up. Click Next on the Welcome dialog box to proceed

4. Click “Add” to select the user/group to which the right will be assigned. Type the name of user or group you want to add and click “Check Names” button to verify it

Click “OK”.

This takes you back to the wizard. Click “Next” to go to the next page.

5. In this step, you will have to choose the tasks. Select the 2nd radio button, Create a custom task to delegate, and click Next

6. Select the 2nd option, which is Only the following objects in the folder. Select User objects in the list, and click Next

7. Select the Property-specific checkbox and ensure that only this checkbox is selected

In the Permissions list, check both the Read lockoutTime and Write lockoutTime boxes, and click Next.

8. On the Completing the Delegation of Control Wizard dialog box, click Finish to close the wizard

3. How to Unlock a User’s Account

To unlock a user’s account, first login to the system. Open Active Directory Users and Computers. Right-click on the User whose account you need unlocked and select Properties from the context menu. In the Properties window, click on the Account tab. Select the Unlock Account checkbox. Here you will find written that this account has been locked in this ADDC. Click Apply and OK to unlock the account.