RE: [ActiveDir] permissions to only disable an AD user account

Sat, 27 Mar 2004 08:07:00 -0800

Mike,
 
The property that you're looking to delegate is the 'Write userAccountControl'.  However, that does open up an interesting can of worms.  The userAccountControl proerty, as you may well know, is a series of flags that control a number of aspects of the user account - enable (flag value 512) and disable (flag value 514) being only two.  Look here for more info.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
 
So, if you delegate the ability to disable an account, you're also going to, by association, delegate quite a bit more - which you may not want to do, which means it really can't be done - directly.  You of course, can script or provide a compiled tool called, e.g. 'accountdisable.exe' which would do nothing more.  But, the risk is that the property is well documented and someone with half a brain could figure out that they have more than what was intended.  They then will be able to create their own scripts and have a good old time playing with the properties of the users in their delegated area.
 
Hope this answers what you are looking for.
 
Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, March 26, 2004 4:00 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] permissions to only disable an AD user account

I hope there is an easy answer to the following question: I would like to delegate authority to a group to be able to disable user accounts down in an OU.  But I don't want to have to also give them the ability to create/delete user accounts.  I've looked around the Delegation Wizard custom tasks, but really don't find anything to do this single purpose action.  Anybody have an answer?  Thanks!
 
Mike Thommes

Reply via email to