Hi Rick,
Thanks for the feedback! That's exactly what I thought would happen but I needed
an expert's view! I was thinking instead I could achieve roughly the same affect by
giving the group read/write access over the User Account propery named
"AccountExpires" and set it to the current timestamp. Is this thinking also flawed?
Mike Thommes
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Sat 3/27/2004 10:06 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] permissions to only disable an AD user account
Mike,
The property that you're looking to delegate is the 'Write
userAccountControl'. However, that does open up an interesting can of worms. The
userAccountControl proerty, as you may well know, is a series of flags that control a
number of aspects of the user account - enable (flag value 512) and disable (flag
value 514) being only two. Look here for more info.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
So, if you delegate the ability to disable an account, you're also going to,
by association, delegate quite a bit more - which you may not want to do, which means
it really can't be done - directly. You of course, can script or provide a compiled
tool called, e.g. 'accountdisable.exe' which would do nothing more. But, the risk is
that the property is well documented and someone with half a brain could figure out
that they have more than what was intended. They then will be able to create their
own scripts and have a good old time playing with the properties of the users in their
delegated area.
Hope this answers what you are looking for.
Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
_____
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, March 26, 2004 4:00 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] permissions to only disable an AD user account
I hope there is an easy answer to the following question: I would like to
delegate authority to a group to be able to disable user accounts down in an OU. But
I don't want to have to also give them the ability to create/delete user accounts.
I've looked around the Delegation Wizard custom tasks, but really don't find anything
to do this single purpose action. Anybody have an answer? Thanks!
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
