Re: Field greyed out when account ops try to unlock account
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 31 May 2006 17:42:38 -0400
Look at the permissions on the problem account with dsacls, that should tell the story.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:
I had another instance this morning of this problem. We had an account that was locked out, but the 2 admins, could not unlock. Domain admin had to unlock the account. This is in 2003, and the account was not a member of a restricted account. Any help on this would be greatly appreciated..
"Richard Alexander" wrote:
Just to clarify. I have 2 admins that are part of the account aoperators group and occassionally someone will call in with a locked account. They pull up the account properties and see the check there, but it is greyed account and they cannot unlock. it is not one particular userid, and it has happened several times to each one of them. I have since taken them out of account operators and tried using delegation with user manage rights to see if that resolves.
"Joe Richards [MVP]" wrote:
Dump the ACL of the user you can't modify with dsacls and post it
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:No just a regular user account. I thought maybe it was a replication issue. Domain admins, never have the issue only the people in account operators group..
"Joe Richards [MVP]" wrote:
Is the account the person trying to unlock also an accop or admin or something like that? Is the ACL on the object a little different from what you are used to seeing, say no inherited ACEs?
Google the term adminSDHolder
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Richard Alexander wrote:We are running a Server 2003 single domain structure and we have 2 servers at our corporate locations and 5 remote DCs at remote locations all with a global catalog. Occasionally one of our early morning staffers will need to unlock an account, but the check box will be greyed out. I had them in the account operators group from our old NT4 domain and read some things about delegation. I setup a new group and did delegation but she had the same issue this morning. I thought it might be something with replication, but we have partial T1s to all the remotes, so I don't think speed is an issue. Please respond as I'm out of ideas.
Thanks
- Follow-Ups:
- Re: Field greyed out when account ops try to unlock account
- From: Richard Alexander
- Re: Field greyed out when account ops try to unlock account
- Prev by Date: ldifde import- please save my head from pounding on the desk
- Next by Date: Re: joining remote client
- Previous by thread: ldifde import- please save my head from pounding on the desk
- Next by thread: Re: Field greyed out when account ops try to unlock account
- Index(es):
Relevant Pages
|
