AD Restrictions

[Paul]

Hi,

We want to be able to allow our HR department to disable
accounts in Active Directory.

They should be able to do nothing else but disable
accounts.

What would you all reccomend as a good solution?

 

[Todd Maxey [MSFT]]

Paul,

Here are some articles on Delegation. In order to allow a user to do this
action and only this action you will need to delegate the USERACCOUNTCONTROL
attribute (Both read and Write) on the OU or container that the user account
you with to have disabled exists.

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

HOW TO: Create and Edit a Taskpad View in a Saved MMC Console in Windows
2000
http://support.microsoft.com/?kbid=321143

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873

Administrative Tool Menu Is Sensitive to User's Permissions
http://support.microsoft.com/?kbid=214739

Active Directory Database Size and Delegation Access Rights
http://support.microsoft.com/?kbid=197054

Hope this helps.


--
Todd Maxey
Windows 200X Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights

 

[Paul]

Great!

So far so good.

i setup those permissions, and I also selected Deny for
Password reset. and that worked too.

However, the user can still delete users.. I dont' want
them to accidently delete anyone.

Which permission subset in Security (object or
properities) should I set to deny?

I have mine set to:

Under Object

"This Object Only"
Deny Delete All Child Objects
Deny Create All Child Objects

"User Object"
Deny Delete All child Objects
Deny Create All Child Objects.

Is there another area I can set to deny so they can not
delete anyone?

 

[Cherry Qian]

Hi Paul,

Thank you for the posting. As you indicated you would like to deny delete
user.

Generally speeaking, only domain administrator has the authority to delete
user acount. if you do not want the user to delete user account, you need
to remove the user from the domain administrator group and then delete the
specific right to the user group so that they have other rights and
permission.

Usually, if you cannot restrict some user rights, you can remove the user
from the group such as removing from the administrator group and then
delegate specific right and permission to the user. Some times, elevating
user privileges is easier to implement than restricting user privileges.

In order to allow a user to do this action and only this action you will
need to delegate the USERACCOUNTCONTROL attribute (Both read and Write) on
the OU or container that the user account you with to have disabled exists.

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.


Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.