Re: Is it possible???

From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Mon, 6 Feb 2006 22:09:13 +0100

dsquery user <distinguished name OU> -scope subtree | dsmod user -disabled
yes

for this to be changed you need to delegate at least read/write permission
on the useraccountcontrol attribute

The "account is disabled" option is represented by a BIT/FLAG in the
useraccountcontrol attribute. That same attribute also contains other bits
that represent other options like "password never expires".

So to delegate the change of the option "account is disabled" to a group
(recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission). The
catch here is that by doing this you also allow the change of the other
BITS/FLAGS and that may be not desired by you.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
"elvecio" <elvecio@xxxxxxxxxxxxx> wrote in message
news:e3eQBW0KGHA.2304@xxxxxxxxxxxxxxxxxxxxxxx

We would like to make a Bat file to disable all accounts of a specific OU
at night. and it will be started by a person who isen't member of the
administrators group. So...

I would like to know if it's possible to create this bat and how???
I would like to know if a simple user can do this.....

If anybody could help me...

Elvecio.

Follow-Ups:
- Re: Is it possible???
  - From: Christian Lamparth

References:
- Is it possible???
  - From: elvecio

Prev by Date: Re: Question about the new printer depolyment in R2
Next by Date: Re: DCs and OUs
Previous by thread: Re: Is it possible???
Next by thread: Re: Is it possible???
Index(es):
- Date
- Thread

Relevant Pages

Re: Delegate Disable user privilege
... So to delegate the change of the option "password never expires" to a group ... useraccountcontrol attribute (read permission and write permission). ... I created a OU and I want to delegate disable user privilege to a security ...
(microsoft.public.windows.server.active_directory)
Re: finding deleted email account
... since delegate access is assigned by the user in Outlook, ... assigned the permission would need to delete it...All you'd be able to do is ... seeing who was invited to a meeting, and ferreting it out...then, if you ... deleted account in their delegate list or has that account in a ...
(microsoft.public.exchange.admin)
Re: sbs user permissions
... She'll need Domain Admin privileges to do all the tasks you want her to. ... > permission on mine and my boss's mailbox & AD account. ... >> By default, we can use delegate control to give user special permission, ...
(microsoft.public.windows.server.sbs)
Re: Delegate Disable user privilege
... I got to work with useraccountcontrol attibute to disable user id. ... you need to delegate the change to the ... useraccountcontrol attribute (read permission and write permission). ...
(microsoft.public.windows.server.active_directory)
Re: AD User Object Properties
... So to delegate the change of the option "password never expires" to a group or user, you need to delegate the change to the useraccountcontrol attribute (read permission and write permission). ...
(microsoft.public.win2000.active_directory)