We have account lockout enabled to slow down attacks that try to guess passwords. Of course, users occasionally lock themselves out when they keep trying to guess a password that they've forgotten. I'd like to follow the advice in "Setting Active Directory Property Permissions" (July 2000, InstantDoc ID 9187) and grant Help desk staff members permissions to all the accounts in my domain so that Help desk staff can unlock user accounts when necessary. However, I have 1300-plus accounts in Active Directory (AD) and don't want to make the permission change manually to each account. Is there a way to make the change to all accounts in one sweep, maybe using a Group Policy Object (GPO) or the security policy?
There is a way, and making the change is very easy once you know where to do it. GPOs and the security policy don't have anything to do with controlling AD permissions. Instead, you use permission inheritance and your organizational unit (OU) hierarchy. I'll use an analogy to explain. On file servers, we control file permissions through a hierarchy of folders and subfolders. Permissions we define on a folder propagate down to child folders and files. Likewise in AD, we control permissions on directory objects, including user accounts, through the hierarchy of OUs and sub-OUs.
So, to give Help desk staff the ability to unlock all user accounts, open the Properties dialog box of the domain's root in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select the Security tab. Click Advanced and add an ACL entry. Select the Properties tab, then in the Apply to drop-down list, select User objects. Find the lockoutTime property and grant Read or Write access as desired. Click OK twice and verify that the new permission entry was added to the ACL. Because you added this entry at the root of the domain, AD will propagate it down to all users in the domain--except to any OUs or user objects that have the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here option disabled on their Permissions tab. Why might you clear the Inherit from parent... option? To prevent permissions from flowing down to a special set of users. For instance, you wouldn't want to give Help desk staff the ability to reset IT administrator account passwords; therefore, you might uncheck that box for the OU that holds your IT administrators.