Comment: If I wish to unlock an account in active directory,how to go about it using programming codes and does it require a admin level of access? Response Number 1 Name: Infinite Recursion Date: April 07, 2004 at 10:22:34 Pacific Subject: Unlocking accounts in ADS Reply: -- bind to container -- search for user object when found: usr.AccountDisabled = False usr.SetInfo() Response Number 2 Name: weijie Date: April 07, 2004 at 20:42:34 Pacific Subject: Unlocking accounts in ADS Reply: does it require a admin account to perform the code above or any ordinary ads accounts? any pro active directory administrators would could solve my doubt? Response Number 3 Name: Infinite Recursion Date: April 08, 2004 at 08:02:16 Pacific Subject: Unlocking accounts in ADS Reply: You will have to have administrator priveleges to do this. User A cannot disable User B's account. Also, it may be worth mentioning, that you very well may have to run it on the domain controller itself (I didn't test anywhere but on the domain controller.) Response Number 4 Name: weijie Date: April 10, 2004 at 04:35:26 Pacific Subject: Unlocking accounts in ADS Reply: if i want to develop an account unlocking portal, wat kind of rights do i have to give the user b4 he/she can unlock his/her own account? And if possible, is there any security concerns if I allow the user to unlock his/her own account.

The concept of users unlocking their own accounts is a bad idea in my personal opinion. For two reasons: 1) Active Directory is used for a centralized location of resources and administration. Having users enable their own accounts, defeats the the AD purpose. 2) What if those users that were locked out, need to remain locked out for whatever reason. IE: Theft of company secrets. If the user is able to enable their account then the system is less secure in more areas than one. I can not think of a reason why you would want to do this, unless your administrators are overburdened with requests for re-enabling accounts due to password lockouts, etc. If that's the case, change the security policy to allow for more password attempts. State a reason as to why you would want to do something like this. There is probably a more secure way of doing it. There will be a need, if not an AD requirement, for an administrative account to perform this action. IR

the fact that i want to implement this portal is because too much red tape is involved in unlocking an account. However, if i rephrase this implementation for designated administrators to unlock the accounts under their jurisdiction instead of everything thrown to the main administrator, would it be a more sound solution ? If it requires an administrative account, could i only restrict it to having the ability only unlock accounts?