Do you have ADM in place? Then built a config template, which has username as variable and uses this command to unlock the user. Then you can give the Level1 group permissions to execute this particular config template. With that you have a kind of self service unlock.