Sorry, ignore my last post completely - I read that as unlock user right, not the unlock workstation.
I think Joe is correct - I believe only admins on the machine can unlock computers. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | "joe" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 02/28/2005 09:42 AM EST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: <ActiveDir@mail.activedir.org> | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | >------------------------------------------------------------------------------------------------------------------------------| If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADU&C, you might have to grant permissions to the group if inheritance is blocked on some OUâs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I canât seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. [EMAIL PROTECTED] V«r¯yÊ&ý§-÷4¨¥iËb½çb®à