[ActiveDir] Unlock Workstation User Right
I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] Unlock Workstation User Right
Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] Unlock Workstation User Right
If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)Sent: Monday, February 28, 2005 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] Unlock Workstation User Right
Hi Tim We have some users who were delegated the right to do this. The delegation wizard will not do it but you can change the security settings on the OU or domain to allow specific groups / users the right without making them part of any elevated group. 1.On the Object tab, find Apply onto: click on the down arrow to find User objects (last entry). 2.In the Permissions: window find Reset Password (2nd from the bottom), check the Allow box. 3.Click on the Properties tab, find Apply onto: click on the down arrow to find User objects (last entry). 4.In the Permissions: window check the Allow box for the following 4 permissions. (Permissions are more or less alphabetical, look about 1/3 down the list.) Read lockoutTime Write lockoutTime Read pwdLastSet Write pwdLastSet Remark: The user who is given this permission will not be able to unlock any user that does not have Inherit from parent the permission entries that apply to child objects checked off under the Security tab in an users properties This came out of the MS KB article http://support.microsoft.com/?kbid=294952 Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Myrick, Todd | | | (NIH/CC/DNA) | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:30 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. Tim
RE: [ActiveDir] Unlock Workstation User Right
Sorry, ignore my last post completely - I read that as unlock user right, not the unlock workstation. I think Joe is correct - I believe only admins on the machine can unlock computers. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:42 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. [EMAIL PROTECTED] Vry-4ibb
RE: [ActiveDir] Unlock Workstation User Right
Thanks for the input from all. Sorry to not be clear - I meant unlock workstations. Thanks, Joe, for pointing out that I meant local admins group on the workstation. I was hoping that I could be a bit more granular in assigning this right - i.e. just the right to unlock the workstation instead of being a local administrator. Maybe I'll have to think again - maybe force logoff outside of office hours instead of allowing the workstation to lock. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:58 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Unlock Workstation User Right Sorry, ignore my last post completely - I read that as unlock user right, not the unlock workstation. I think Joe is correct - I believe only admins on the machine can unlock computers. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/28/2005 09:42 AM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Unlock Workstation User Right | --| If you mean unlock the console of a machine locked by a user, I think you have to be an administrator on that machine. It doesn't take any domain level permissions except being an authenticatable user unless the machine someone wants to unlock is a DC, at which point they have to be an admin of the DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Monday, February 28, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unlock Workstation User Right Account Operators Local Group I think. Must us ADUC, you might have to grant permissions to the group if inheritance is blocked on some OUs. Todd Myrick From: Tim Foster [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 9:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unlock Workstation User Right I want to grant some users the right to unlock workstations in a W2K3 domain. I have scanned through Group Policy and I cant seem to find the appropriate setting to do this. Is this a right that is automatically granted to one of the Built-In groups? If so, which one? It seems overkill to have to add users to the Administrators group to get this right. Thanks in advance for any help the list can give. [EMAIL PROTECTED] Vry-4ibb