Delegate Permissions
⏱️5 minutes
Grant the service account permissions to unlock accounts and reset passwords.
Prerequisites
Before running
- Service account created (svc_adunlock)
- Know which OUs contain users who will use self-service
- PowerShell as Domain Admin
Permissions Script
Run this script to delegate permissions:
#Requires -Modules ActiveDirectory
# ============================================
# AD Unlock Permission Delegation Script
# ============================================
param(
[Parameter(Mandatory=$true)]
[string]$ServiceAccount = "svc_adunlock",
[Parameter(Mandatory=$true)]
[string[]]$TargetOUs # Array of OUs, e.g., @("OU=Users,DC=company,DC=local")
)
$domain = Get-ADDomain
$serviceAccountDN = (Get-ADUser -Identity $ServiceAccount).DistinguishedName
Write-Host "Configuring permissions for: $ServiceAccount" -ForegroundColor Cyan
Write-Host "Target OUs:" -ForegroundColor Cyan
$TargetOUs | ForEach-Object { Write-Host " - $_" }
foreach ($ou in $TargetOUs) {
Write-Host "`nProcessing: $ou" -ForegroundColor Yellow
# Get the OU ACL
$acl = Get-Acl "AD:\$ou"
# Permission 1: Reset Password
$resetPwd = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
[System.Security.Principal.NTAccount]"$($domain.NetBIOSName)\$ServiceAccount",
"ExtendedRight",
"Allow",
[Guid]"00299570-246d-11d0-a768-00aa006e0529", # Reset Password
"Descendents",
[Guid]"bf967aba-0de6-11d0-a285-00aa003049e2" # User class
)
$acl.AddAccessRule($resetPwd)
# Permission 2: Write lockoutTime (for unlocking)
$writeLockout = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
[System.Security.Principal.NTAccount]"$($domain.NetBIOSName)\$ServiceAccount",
"WriteProperty",
"Allow",
[Guid]"28630ebf-41d5-11d1-a9c1-0000f80367c1", # lockoutTime
"Descendents",
[Guid]"bf967aba-0de6-11d0-a285-00aa003049e2" # User class
)
$acl.AddAccessRule($writeLockout)
# Permission 3: Read all user properties
$readUsers = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
[System.Security.Principal.NTAccount]"$($domain.NetBIOSName)\$ServiceAccount",
"GenericRead",
"Allow",
"Descendents",
[Guid]"bf967aba-0de6-11d0-a285-00aa003049e2" # User class
)
$acl.AddAccessRule($readUsers)
# Apply ACL
Set-Acl "AD:\$ou" $acl
Write-Host " ✅ Permissions applied" -ForegroundColor Green
}
Write-Host "`n✅ All permissions configured successfully!" -ForegroundColor GreenUsage Example
# Single OU
.\Set-ADUnlockPermissions.ps1 `
-ServiceAccount "svc_adunlock" `
-TargetOUs @("OU=Users,DC=company,DC=local")
# Multiple OUs
.\Set-ADUnlockPermissions.ps1 `
-ServiceAccount "svc_adunlock" `
-TargetOUs @(
"OU=Staff,OU=Users,DC=company,DC=local",
"OU=Remote,OU=Users,DC=company,DC=local"
)Verify Permissions
After running the script, verify:
$ou = "OU=Users,DC=company,DC=local"
$serviceAccount = "svc_adunlock"
dsacls $ou | Select-String $serviceAccount✅Expected Result
Allow COMPANY\svc_adunlock SPECIAL ACCESS for User
CONTROL ACCESS (Reset Password)
Allow COMPANY\svc_adunlock WRITE PROPERTY (lockoutTime) for User
Allow COMPANY\svc_adunlock READ PROPERTY for UserManual Method (GUI)
If you prefer using the GUI:
- Open Active Directory Users and Computers
- Enable View → Advanced Features
- Right-click target OU → Properties → Security → Advanced
- Click Add and select the service account
- Set:
- Applies to: Descendant User objects
- Permissions:
- ☑ Reset Password
- ☑ Write lockoutTime
- ☑ Read all properties
🔧If Something Goes Wrong
| Symptom | Cause | Solution |
|---|---|---|
| Access denied when running script | Not running as Domain Admin | Run PowerShell as Domain Admin |
| OU not found | Typo in DN or OU doesn't exist | Verify OU path with Get-ADOrganizationalUnit |
| Service account not found | Account in different domain | Use full DOMAIN\username format |
Security Note
Principle of least privilege: Only grant permissions on OUs where self-service is needed. Do not grant on the entire domain.
Next Step
Last updated on