I have come across couple of admins who have fought with this problem often. They want to delegate the unlock account function to more accessible, help desk team and are unable to do so. Funny way, Microsoft team thinks, this facility though readily available in Windows, is hidden from view. There is a dat file called dssec.dat in c:\windows\system32 folder. You will also see it in your workstation if you have administrative tools installed.
Just open this file with a text editor viz., notepad or Notepad++ (even better), and search for a string called “lockoutTime”. Its located under the “[user]” section.
Change the value from “7” to “0”, save the file and exit.
Now Right-Click on the OU that you want to delegate permissions on, and select properties.
Click on the security tab (if you don’t see one, then you have to click select View –> Advanced Features on the menu bar)
Click on Advanced. click on Add user, enter the username and click on “ok”. In the Permissions Entry window select the “Properties” tab. Drop down the Apply onto list box and select “User Objects”
You will see two new persmissions as seen in the figure above. “Read lockoutTime” and “writelockoutTime”. Any user with these two permissions will be able to lock and unlock user accounts, in that OU.
Cheers
