DSACLS command to Grant Domain Groups Password Reset and Unlock Account Rights to Specific Org Unit (OU)

Got a last minute request to set permission to more than 200 over OUs. Each OU are to be granted the rights to reset password and unlock users accounts to specific domain user groups.

If you were to use the GUI method to grant password reset rights, it will works!  But how about the rights to unlock user accounts in the OU? Smile And are you going to do that for all the 200 over OUs one by one?!

For unlock account rights, note that you need to configure “Allow” for both “Read LockoutTime” and “Write LockoutTime” (shown in the picture below)

So.. just imagine if one were to use GUI method to configure all the 200 over OUs.. Haha. One is effort and the other is how to ensure that there will not mistake after a while?

image

Well, this is time when our good old “DS” commands can come into handy!

First, we find out what will the GUI method to grant user groups rights to reset user password…

Setting One

image

Setting Two

image

For Unlock Of User account, Following needs to set.

image

Therefore, the command to use to achieve above settings are shown as below:

Setting 1 – Part 1 of Granting User Group A to Reset Password for User in Team A OU

dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:CA;Reset Password”;user

Setting 2 – Part 2 of Granting User Group A to Reset Password for User in Team A OU

dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:rpwp;PwdlastSet”;user

Setting 3 – To allow User Group A to unLock User Account in Team A OU

dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:rpwp;lockoutTime”;user

Using Microsoft Excel, I will be able to generate out the batch file to execute above commands accordingly to all the 200 over OUs. Within an half and hour, DONE!! Open-mouthed smile

Hope this will be one stop solution for those who wish to do it even for a single OU~ Smile

Cheers

Tan Chee

Advertisements
This entry was posted in Microsoft Active Directory, Microsoft Windows. Bookmark the permalink.

2 Responses to DSACLS command to Grant Domain Groups Password Reset and Unlock Account Rights to Specific Org Unit (OU)

  1. steve88 says:

    You can do it with Quest AD cmdlets too…not yet native AD Powershell, Microsoft forgot it 😦

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s