Accounts Operators

[Mike.]

http://www.microsoft.com/resources/documentation/WindowsSer
v/2003/enterprise/proddocs/en-us/Default.asp?
url=/resources/documentation/WindowsServ/2003/enterprise/pr
oddocs/en-us/sag_ADgroups_9builtin_intro.asp

....states that account operators "do not have permission
to modify the Administrators or the Domain Admins groups,
nor do they have permission to modify the accounts for
members of those groups."

In practice this seems to go for members of the account
operators group (including themselves).

Can someone please clarify.

Thanks.

 

[Stefan Buchman]

These are three separate groups. It basically states that a member of
the 'Account Operators' group will not be able to modify users or groups
that have more permissions then they do.

- Stefan

 

[Guest]

http://support.microsoft.com/?id=32770

Old issue was that prior to hotfix if you are a member of account operators, you are able to modify other account operators... (which is considered as a bug).. with hotfix, AdminSDHolder is the parent permission that will refresh all the below inherited permissions, so eventhough .

A is a member of account op
B is also a member of account op

if administrator modifies B security rights to allow A full control, it will still be overwritten by periodic AdminSDHolder updates

The only get around this is to add rights to AdminSDHOlder Permission tab itself to include Full Control (im sure this will work

Cheers