[ActiveDir] Unlock Workstation User Right

[Tim Foster]

I want to grant some users the right to unlock workstations
in a W2K3 domain. I have scanned through Group Policy and I cant
seem to find the appropriate setting to do this. Is this a right that is
automatically granted to one of the Built-In groups? If so, which
one? It seems overkill to have to add users to the Administrators group
to get this right.



Thanks in advance for any help the list can give.



Tim 

RE: [ActiveDir] Unlock Workstation User Right

[Myrick, Todd (NIH/CC/DNA)]

Account Operators Local Group I think.
Must us ADUC, you might have to grant permissions to the group if inheritance
is blocked on some OUs.



Todd Myrick











From: Tim Foster [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 28, 2005
9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock
Workstation User Right





I want to grant some users the right to unlock workstations
in a W2K3 domain. I have scanned through Group Policy and I cant
seem to find the appropriate setting to do this. Is this a right that is
automatically granted to one of the Built-In groups? If so, which
one? It seems overkill to have to add users to the Administrators group
to get this right.



Thanks in advance for any help the list can give.



Tim 

RE: [ActiveDir] Unlock Workstation User Right

[joe]

If you mean unlock the console of a machine locked by a 
user, I think you have to be an administrator on that machine. It doesn't take 
any domain level permissions except being an authenticatable user unless the 
machine someone wants to unlock is a DC, at which point they have to be an admin 
of the DCs. 

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA)Sent: Monday, February 28, 2005 9:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unlock 
Workstation User Right


Account Operators Local 
Group I think. Must us ADUC, you might have to grant permissions to 
the group if inheritance is blocked on some OUs.

Todd 
Myrick





From: Tim Foster 
[mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 
AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unlock Workstation 
User Right

I want to grant some users the right 
to unlock workstations in a W2K3 domain. I have scanned through Group 
Policy and I cant seem to find the appropriate setting to do this. Is 
this a right that is automatically granted to one of the Built-In groups? 
If so, which one? It seems overkill to have to add users to the 
Administrators group to get this right.

Thanks in advance for any help the 
list can give.

Tim 

RE: [ActiveDir] Unlock Workstation User Right

[James_Day]

Hi Tim

We have some users who were delegated the right to do this.  The delegation
wizard will not do it but you can change the security settings on the OU or
domain to allow specific groups / users the right without making them part
of any elevated group.

1.On the Object tab, find Apply onto: click on the down arrow to find
User objects (last entry).

2.In the Permissions:  window find Reset Password (2nd from the
bottom), check the Allow box.

3.Click on the Properties tab, find Apply onto: click on the down arrow
to find User objects (last entry).

4.In the  Permissions:  window check the Allow box for the following 4
permissions. (Permissions are more or less alphabetical, look about 1/3
down the list.)

  Read lockoutTime
  Write lockoutTime
  Read pwdLastSet
  Write pwdLastSet



Remark:  The user who is given this permission will not be able to unlock
any user that does not have Inherit from parent the permission entries that
apply to child objects checked off under the Security tab in an users
properties


This came out of the MS KB article
  http://support.microsoft.com/?kbid=294952

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   Myrick, Todd  |
| |   (NIH/CC/DNA)  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:30 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

Tim

RE: [ActiveDir] Unlock Workstation User Right

[James_Day]

Sorry, ignore my last post completely - I read that as unlock user right,
not the unlock workstation.

I think Joe is correct - I believe only admins on the machine can unlock
computers.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:42 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org  
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




If you mean unlock the console of a machine locked by a user, I think you
have to be an administrator on that machine. It doesn't take any domain
level permissions except being an authenticatable user unless the machine
someone wants to unlock is a DC, at which point they have to be an admin of
the DCs.

  joe

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unlock Workstation User Right

Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

[EMAIL PROTECTED]   Vry-4ibb

RE: [ActiveDir] Unlock Workstation User Right

[Tim Foster]

Thanks for the input from all.

Sorry to not be clear - I meant unlock workstations.  Thanks, Joe, for pointing 
out that I meant local admins group on the workstation.  I was hoping that I 
could be a bit more granular in assigning this right - i.e. just the right to 
unlock the workstation instead of being a local administrator.

Maybe I'll have to think again - maybe force logoff outside of office hours 
instead of allowing the workstation to lock.

Tim   

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:58 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Unlock Workstation User Right

Sorry, ignore my last post completely - I read that as unlock user right,
not the unlock workstation.

I think Joe is correct - I believe only admins on the machine can unlock
computers.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+--
| |   joe  |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   02/28/2005 09:42 AM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org  
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Unlock Workstation User Right   
 |
  
--|




If you mean unlock the console of a machine locked by a user, I think you
have to be an administrator on that machine. It doesn't take any domain
level permissions except being an authenticatable user unless the machine
someone wants to unlock is a DC, at which point they have to be an admin of
the DCs.

  joe

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Monday, February 28, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unlock Workstation User Right

Account Operators Local Group I think.  Must us ADUC, you might have to
grant permissions to the group if inheritance is blocked on some OUs.

Todd Myrick


From: Tim Foster [mailto:[EMAIL PROTECTED]
Sent: Monday, February 28, 2005 9:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unlock Workstation User Right

I want to grant some users the right to unlock workstations in a W2K3
domain.  I have scanned through Group Policy and I cant seem to find the
appropriate setting to do this.  Is this a right that is automatically
granted to one of the Built-In groups?  If so, which one?  It seems
overkill to have to add users to the Administrators group to get this
right.

Thanks in advance for any help the list can give.

[EMAIL PROTECTED]   Vry-4ibb