Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Field greyed out when account ops try to unlock account

2,244 views
Skip to first unread message

Richard Alexander

unread,
Apr 13, 2006, 10:01:01 AM4/13/06
to
We are running a Server 2003 single domain structure and we have 2 servers at
our corporate locations and 5 remote DCs at remote locations all with a
global catalog. Occasionally one of our early morning staffers will need to
unlock an account, but the check box will be greyed out. I had them in the
account operators group from our old NT4 domain and read some things about
delegation. I setup a new group and did delegation but she had the same
issue this morning. I thought it might be something with replication, but we
have partial T1s to all the remotes, so I don't think speed is an issue.
Please respond as I'm out of ideas.

Thanks

Joe Richards [MVP]

unread,
Apr 13, 2006, 9:33:21 PM4/13/06
to
Is the account the person trying to unlock also an accop or admin or something
like that? Is the ACL on the object a little different from what you are used to
seeing, say no inherited ACEs?

Google the term adminSDHolder


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Richard Alexander

unread,
Apr 27, 2006, 9:20:02 AM4/27/06
to
No just a regular user account. I thought maybe it was a replication issue.
Domain admins, never have the issue only the people in account operators
group..

Joe Richards [MVP]

unread,
Apr 28, 2006, 9:46:17 AM4/28/06
to
Dump the ACL of the user you can't modify with dsacls and post it

Richard Alexander

unread,
May 9, 2006, 5:31:02 PM5/9/06
to
Just to clarify. I have 2 admins that are part of the account aoperators
group and occassionally someone will call in with a locked account. They
pull up the account properties and see the check there, but it is greyed
account and they cannot unlock. it is not one particular userid, and it has
happened several times to each one of them. I have since taken them out of
account operators and tried using delegation with user manage rights to see
if that resolves.

Richard Alexander

unread,
May 31, 2006, 2:30:02 PM5/31/06
to
I had another instance this morning of this problem. We had an account that
was locked out, but the 2 admins, could not unlock. Domain admin had to
unlock the account. This is in 2003, and the account was not a member of a
restricted account. Any help on this would be greatly appreciated.

Joe Richards [MVP]

unread,
May 31, 2006, 5:42:38 PM5/31/06
to
Look at the permissions on the problem account with dsacls, that should
tell the story.

Richard Alexander

unread,
Jun 6, 2006, 8:13:45 AM6/6/06
to
i tried running

dsacls cn=enduser,ou=users,ou=city,ou=dist division
but i get an error that system cannot open device or file.

Tried on several different account with same result. I did look at the
advanced features through MMC and can see the security tab. The group that
i created has access at the container(inherited from site level), but when i
look at the security on the the user object it is not there.


"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:eWYBksPh...@TK2MSFTNGP05.phx.gbl...

Joe Richards [MVP]

unread,
Jun 6, 2006, 11:45:33 PM6/6/06
to
You probably need to put your DN in quotes if you have spaces in it...
Plus that OU you listed isn't valid for Active Directory.

Joe Richards [MVP]

unread,
Jun 6, 2006, 11:46:15 PM6/6/06
to
Oh as for the user not having the permissions on it, does the user have
inheritence enabled? If not, it is likely you are feeling the effects of
the adminsdholder functionality which you can google for, tons of
references to that now.

Richard Alexander

unread,
Jun 7, 2006, 4:56:53 PM6/7/06
to
I ran the following command to try and restore inherit permissions at the ou
level and it said successfully completed, but if i go the user object and
look at permissions, they are still not inheriting.

dsacls ou=users,ou=city,ou="dist division",DC=company,DC=local /I:T

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message

news:%23lEIvTe...@TK2MSFTNGP05.phx.gbl...

Joe Richards [MVP]

unread,
Jun 7, 2006, 6:15:52 PM6/7/06
to
Ok, did you go look up adminsdholder as I mentioned previously?

Richard Alexander

unread,
Jun 14, 2006, 12:28:23 PM6/14/06
to
I used to think i was a pretty sharp guy, but now i'm having my doubts. I
did as you suggested and looked up the adminsdholder at google. I've read
several articles describing it's purpose and they make perfect sense, but i
still do not see how it is affecting my situation. I believe it is the
culprit, but don't know why.

Originally i had the help deskers in the account operators group, which was
not working all the time. adminsdholder may have been preventing this.
After i read up on delegation, I removed them from the account operators
group and created a new group called xxx-accops and then delegated
permissions on the OUs.

I found the following article and it mentions the same problems and a
hotfix, once i finish reading it, i may look at that option.

http://support.microsoft.com/kb/817433

Thanks

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message

news:uTT6y$niGHA...@TK2MSFTNGP05.phx.gbl...

Joe Richards [MVP]

unread,
Jun 14, 2006, 7:22:29 PM6/14/06
to
Once the folks are out of the acc ops you need to clear the admincount
attribute and reset their ACL. Then recheck them. If they get admincount
set again, there is some other group membership that is impacting them.
It could even be a DL that was in one of the protected groups at one point.

Richard Alexander

unread,
Jun 21, 2006, 6:37:26 PM6/21/06
to
I hope i did this right, but looked at adsiedit for the abs-accops group i
had created and the admincount attribute said <not set>, which i believe is
cleared.

I then ran the following from a batch file:

dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G
"\Everyone:CA;Change Password"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Remote Access Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;General Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Group Membership"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Logon Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000
Compatible Access:RP;Account Restrictions"

Must have missed something, because if i look under at a user object, some
have the permissions granted and others still do not.

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message

news:%234jJplA...@TK2MSFTNGP03.phx.gbl...

0 new messages