Members of Account Operators Group Cannot Manage All User Accounts

[Mikael Oskarsson]

My customer wants to let Members of Account Operators
Manage All other Account Operators

Is it possible?

Regards

 

[Matjaz Ladava [MVP]]

You can group your AccountOperators in one OU, and then delegate full
control to that OU to AccountOperators. Because AccountOperators users are
also protected by AdminSDHolder object, you will probably have to alter that
object allso
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;232199

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Joe Richards [MVP]]

You can do it unless you modify adminsdholder which would also give account ops the ability to manipulate your
administrator ID's as well. So the feasible answer is no, not natively. You could write up some proxy system of handling
it like writing a COM+ object running in an administrative context that does that work.

 

[Joe Richards [MVP]]

You know I just realized there is a way you could pull this off. Create the separate OU like Matjaz recommends and set
up the acc op delegation there and then modify the adminsdholder object to have inheritance... I would not recommend
this though as that inheritance being turned off is to protect you in case somehow an admin ID gets moved into an OU
where some normal person has full user delegation given to them or one of several critical attributes delegated to their
control because they could manipulate the admin ID and gain control of the directory.

--
Joe Richards
www.joeware.net