Re: How to control enable/disable user account rights

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
• Date: Tue, 3 Mar 2009 08:18:23 +0000 (UTC)

---

Hello RVirene,

Maybe your account operators need some further introduction how to handle your company policies? Or remove them from the account operators group.

Or you maybe have to create a new security group, add your users and delegate control on a specific OU with only the needed permissions for them instead of using the account operators group.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

I understand now that the Account Operators is protected via
AdminSDHolder function. The underlying issue is that we move all
disabled accounts to one central OU periodically. In some cases,
account operators will re-enable a user account and leave it in this
OU vs. moving it back to it's original OU. We do not want accounts to
be re-enabled while in the "Disabled Accounts" OU.

"Jorge Silva" wrote:

Hi
You need to remove them from that security group. Why?
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.asp
x
http://www.microsoft.com/smallbusiness/support/articles/sec_ad_admin_
groups.mspx
--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"RVirene" <RVirene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2E36C830-5DCC-4947-AC77-FB9066291D59@xxxxxxxxxxxxxxxx

Greetings, I would like to stop Account Operators from being able to
enable
user accounts residing within a particular OU. I have tried adding
the
deny
permission for the "Write userAccountControl" property for user
objects
for
the Account Operators group. The effective permissions continue to
show
full
control, however. I must be missing something basic, but cannot
locate it.

.

---

• References:
  • Re: How to control enable/disable user account rights
    • From: RVirene

• Prev by Date: RE: Delegating permissions
• Next by Date: Re: [windows 2008]: problème d'apostrophe avec auditpol.exe en français.
• Previous by thread: Re: How to control enable/disable user account rights
• Next by thread: Re: How to control enable/disable user account rights
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Account Operators Group ... Account Operators group is listed in the security tab of the user object. ... When a user object is created, I believe the system adds an ACE that grants ... (microsoft.public.win2000.active_directory) Re: create mailbox permissions ... don't see mailbox stores in the user creation dialog. ... > The Account Operators group don't have access to the Exchange Admin Groups ... (microsoft.public.exchange2000.admin) Re: Delegating Account management to Help Desk ... I have created 1 user and kept in Account Operators group and logged in with ... > Or perhaps you would like to define "play around with"? ... > Have you modified any of the permissions on the adminSDHolder object? ... (microsoft.public.windows.server.scripting) Re: Account Operators ... Jorge, thanks for your reply. ... account operators group, but I can't modify their accounts. ... > Articles individually checked for conformance to usenet standards ... (microsoft.public.win2000.active_directory) Re: Account Operators Group does not have permissions to users ... Every normal user should have an ACE that grants special permissions to the ... Account Operators group on the user object. ... if MWilson is made a member of Account ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-03