Hi Cory, I don't think you can setup a user that can create other users (e.g., new user == NU1), but not be able to set that user's password or group memberships. The creating user would own the new user object ... so would presumably have some privileges to it.
To do this, you have to go through a "middleman" application, which creates the new user on behalf of the person you wish to delegate some rights to. Since the requesting user didn't actually have the right to create users himself, he does not actually own the new user object, so you can control his rights with arbitrary rules. <advertising on, apply grain of salt liberally> We make a product called ID-Synch, that will let you do this. idsynch.com. If you're still interested, visit the site, as this list is hardly the venue for product promotion. </advertising off> Good luck! - Idan On Fri, 6 Feb 2004, Stuart, Cory G. wrote: > Hi All, > I know that you can limit who can add workstations to a domain > via Group Policy. Is there a way that you can allow someone to create > users, but not change their passwords or group memberships, etc? > > Thanks! > > Cory > > ----------------------------------- > Cory G. Stuart > Network Administrator > Nuclear Engineering Division > Argonne National Laboratory > ----------------------------------- > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
