> I have an admin who is an Account Operator but can't
modify his own account info like address or phone number.
Yes, that is correct.
> Does anyone have any ideas?
Glad you asked...
1. You really shouldn't use builtin accounts. Your account
op could one day decide to become an enterprise admin and I have fear you would
not be able to stop him.
2. Use account provisioning systems and don't give people
rights in the directory directly.
3. Barring 2, use delegated accounts, not accounts in built
in groups, you will find this to be similar to #1
4. If you must give users rights in the directory, do
yourself a favor and make them use different accounts for admin work and normal
every day things like EMAIL. Someone just may send your company a nice email
with a script that deletes all users and groups and your acc op buddy if reading
email with their acc op account would help you test your entire DR scenario. As
a quick hint, when I was the lead admin doing work for a Fortune 5
Widget factory's Global Forest with some 250,000 users I rarely logged in
interactively with my DA or EA IDs (like maybe once per week to a DC) and I used
the DA or EA IDs through RUNAS/CPAU maybe 2 hours tops out of a 10-12 hour day.
The enhanced permission IDs do not need phone numbers and addresses configured
on them. You could follow the standard I have followed for about 10 years with
separation of admin level and normal IDs and name the admin ID the same as the
normal ID with a prepended $. And yes, I said 10 years, I started doing this way
back on NT where it also worked perfectly fine. I would say over the course of
that time fully 95% of my troubleshooting has all been done from a normal level
user ID.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, April 27, 2006 4:58 PM
To: activedirectory
Subject: [ActiveDir] unable to modify personal info
I have an admin who is an Account Operator but can't modify his own account
info like address or phone number.
I know via the adminSDHolder, account ops can't modify other account ops
but this user should be able to modifiy his own account.
There is no entry for Self in the ACL editor for his user object.
Does anyone have any ideas?
Thanks
