To delegate the right to unlock locked user accounts to a user or group in Active Directory, you must first make the right visible.

The %Systemroot%\System32\Dssec.dat file contains filters that control whether a right is revealed, and can be written. Open Dssec.dat in Notepad and find \[User\]. Within \[User\], the lockoutTime entry is listed alphabetically. Change the mask from 7 to 0, yielding lockoutTime=0.

NOTE: The mask values appears to be:

<b>0</b> - Read and Write of property unfiltered
<b>1</b> - Read of property filtered
<b>2</b> - Write of property filtered
<b>7</b> - Filter out property.
Save the change.

To delegate the right:

1. Right-click the domain in Active Directory Users and Computers and press Delegate Control from the context menu.

2. Press Next on the Welcome.... dialog.

3. Press Add and select the user or group.

4. Press OK and Next.

5. Select Create a custom task to delegate and press Next.

6. Select Only the following objects in the folder:. In the list, press User objects and Next.

7. Clear the General selection and select the Property-specific box.

8. Select both the Read lockoutTime and Write lockoutTime boxes and press Next.

9. Press Finish.

NOTE: These rights are domain specific and can NOT be assigned to an OU.