Account Lockouts and Password Resets Delegation Taskpad

February 21, 2008

 

So I've been struggling a little bit with delegation and taskpads. A little background: We're creating a new call center, eventually holding 200 users, and adding any additional support staff is out of the question. About every 20 users there will be a supervisor, and there will be 2 or 3 guys supervising them. They're also going to be working weekends, which would add a lot of headache on me and my crew (we don't have a weekend help desk, just one guy on call). So delegating password resets and account unlocks is pretty critical for our sanity (not to mention speedier service for the end user).

Following the articles I posted earlier, setting up a taskpad view and even setting up the unlock rights/password change rights wasn't too difficult. Getting the password task was also easy, but finding a way for the end user to unlock an account without having to go into the account's properties was more of a challenge. I tried numerous scripts, wrote some scripts, but couldn't get it to work for some reason. Finally, I found the article How can I add an "unlock user account" option to the Active Directory Users and Computers context menu? at the Petri IT Knowledgebase. I followed the instructions exactly step-by-step and I ended up with a nice (and working) Unlock User option when right-clicking on a user account. After that, adding it to the taskpad view was as easy as adding the Reset Password function.

A quick overview of how I set these up:

Set up delegation for account lockouts and password resets.

1. Create an AD group, populate with those folks whom you want to have delegation rights.
2. Right click the OU you want to delegate, click "Delegate Control".
3. Add your created group when prompted in the wizard.
4. Choose to create a custom task.
5. Choose ONLY user objects as the scope of what you want to delegate.
6. For permissions, choose only General and Property-specific. Check "Change password", "Reset password", "Read lockoutTime", and "Write lockoutTime".

Note: If you want to check who has what delegation rights, or if you want to edit an existing delegation, check the security of the OU in question. In Active Directory Users and Computers, click View, Advanced Features. Then right-click the OU and choose properties. Click the Security tab, then Advanced. There you should see who has what permissions on this OU.

Create a taskpad.

1. Open mmc.exe (Start, Run, mmc.exe).
2. Add Active Directory Users and Computers to your view.
3. Choose the OU you're delegating.
4. Right-click the OU and choose new window from here. This is the view you want your users to ONLY see.
5. Click Action, New Taskpad View.
6. Choose the style you like (I like the Vertical list, Text).
7. If you want them to be able to view the sub-OUs (child OUs) with the same view, select "All tree items that are the same type as the selected tree item" and "Make this the default taskpad".
8. To edit or add your tasks, right-click the OU and choose Edit Taskpad.
9. Choose the Tasks tab and click the New button.
10. To add the Reset Password task, choose Menu command.
11. Highlight a user account in the left window and choose Reset Password in the right window.
12. Put in a description, choose and icon, and you're set to go.
13. To add the Unlock User task, follow these instructions from the Petri IT Knowledgebase website. Do that first. Then repeat steps 9 - 12, but choosing the Unlock user task.

Lock it down.

To customize views, click the MMC icon next to the File menu. Choose Customize View. Select what you want your users to see. I personally remove everything except Console tree and Taskpad navigation tabs.

After you're ready to deploy, click File and choose Options. In Console mode, select User mode - limited access (I use single window). Uncheck Allow the user to customize views (this is optional depending on what you want your users to do). Then save. Your users shouldn't be able to do much more than reset passwords and unlock accounts.

To edit your saved .msc, right click it and choose Author. This will open it in editing mode.

6 comments:

aceq said...

suppose "author mode" is restricted by policy.

but *.msc is xml file. [if we can edit *.msc in notepad] or [we can copy *msc in another place and edit] => we can change many things that admin do not want.

for example

change

PreventViewCustomization="true"

on

PreventViewCustomization="false"

and vualya we unblock "customize view" :)

for details see here

Anonymous said...

Wound up following this writeup to the letter for both Win2K and XP. Makes my life a whole lot easier out here in educational IT land. Thanks a lot.

Anonymous said...

What about if I need to give access to 2 or 3 separate OU's.. THanks

Kim said...

This is awesome, thanks!!!

Ryan Weldron said...
This comment has been removed by the author.
Ryan Weldron said...

Thanks for nice explanation, about account lockouts and password reset delegation. I found related information from http://www.selfservicepasswordreset.net/ which unlocks AD account and allows administrator to manage user account information and passwords anywhere in the domain .