Re: Account Operators Group


"mpatraw_EPIC_Imaging" <mpatrawEPICImaging@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:78D612E2-1055-4C02-B0B0-D0A5022E8523@xxxxxxxxxxxxxxxx
I have 5 users in the Account Operators Group. They can administer only a
few of the 250+ user accounts in AD. On the accounts they can administer
the
Account Operators group is listed in the security tab of the user object.
Account Operators is not listed on the security tab of the user objects
which
are not available to administer.

I have 2 questions:

1. How is the Built In group (Account Operators) not listed in the
security
tab of all user objects?

2. Is there an easy fix for this, or a script that I can modify users
security ACE to add account operators group. Keeping in mind I wouldn't
want
to add them to other Built In groups such Exterprise Admins, Domain
Admins,
etc...

When a user object is created, I believe the system adds an ACE that grants
the group BUILTIN\Account Operators full control of the object. The only
explanation I can think of is that someone removed the ACE's. I have never
seen a user object without this ACE, except members of Domain Admins.

A VBScript program can check for the ACE in the DACL of the user, and add it
if it is not found. The technique would be similar to that used in this
example VBScript program that adds ACE's that deny permission for the user
to change their password:

http://www.rlmueller.net/Cannot%20Change%20PW.htm

I have to think about a script for this. One added feature is that you
probably want a script to operate on all users in bulk, but only modify
those without the ACE. I would certainly test on a few users, before running
a script on all users.

Also, the Administrator user does not have this ACE, and should not. I
wonder what other users should not. Even users that are members of the
builtin Administrators have the ACE, but not members of Domain Admins.
Further research is needed, which may be difficult.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: create mailbox permissions
    ... don't see mailbox stores in the user creation dialog. ... > The Account Operators group don't have access to the Exchange Admin Groups ...
    (microsoft.public.exchange2000.admin)
  • Re: Account Operators Group
    ... Print Operators group, saw that the Account Operators ACE was still there, ...
    (microsoft.public.win2000.active_directory)
  • Re: How to control enable/disable user account rights
    ... Maybe your account operators need some further introduction how to handle your company policies? ... Or you maybe have to create a new security group, add your users and delegate control on a specific OU with only the needed permissions for them instead of using the account operators group. ... account operators will re-enable a user account and leave it in this ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating Account management to Help Desk
    ... I have created 1 user and kept in Account Operators group and logged in with ... > Or perhaps you would like to define "play around with"? ... > Have you modified any of the permissions on the adminSDHolder object? ...
    (microsoft.public.windows.server.scripting)
  • Re: Account Operators
    ... Jorge, thanks for your reply. ... account operators group, but I can't modify their accounts. ... > Articles individually checked for conformance to usenet standards ...
    (microsoft.public.win2000.active_directory)