Re: Delegate Account Disable?

From: Jeff Vandervoort (_at_)
Date: 02/06/04 

Date: Thu, 5 Feb 2004 19:47:17 -0600

Thanks; still pretty broad, but I guess it's better than also being able to
add and delete accounts. 

-- 
Jeff Vandervoort
JRVsystems
http://jrvsystems.com
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ussvlrE7DHA.1936@TK2MSFTNGP12.phx.gbl...
> You can delegate write access to the useraccountcontrol which holds the
flag
> say whether or not a given account is active, also note that you give
access
> to set other things. Here is the enumeration of all the flags kept in that
> attribute.
>
>   ADS_UF_SCRIPT                           =  0X0001,
>   ADS_UF_ACCOUNTDISABLE                   =  0X0002,
>   ADS_UF_HOMEDIR_REQUIRED                 =  0X0003,
>   ADS_UF_LOCKOUT                          =  0X0010,
>   ADS_UF_PASSWD_NOTREQD                   =  0X0020,
>   ADS_UF_PASSWD_CANT_CHANGE               =  0X0040,
>   ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED  =  0X0080,
>   ADS_UF_TEMP_DUPLICATE_ACCOUNT           =  0X0100,
>   ADS_UF_NORMAL_ACCOUNT                   =  0X0200,
>   ADS_UF_INTERDOMAIN_TRUST_ACCOUNT        =  0X0800,
>   ADS_UF_WORKSTATION_TRUST_ACCOUNT        =  0X1000,
>   ADS_UF_SERVER_TRUST_ACCOUNT             =  0X2000,
>   ADS_UF_DONT_EXPIRE_PASSWD               =  0X10000,
>   ADS_UF_MNS_LOGON_ACCOUNT                =  0X20000,
>   ADS_UF_SMARTCARD_REQUIRED               =  0X40000,
>   ADS_UF_TRUSTED_FOR_DELEGATION           =  0X80000,
>   ADS_UF_NOT_DELEGATED                    =  0X100000
>
>
> -- 
> www.joeware.net
>
>
> "Jeff Vandervoort" <jeffv @ jrvsystems dot com> wrote in message
> news:uULS4ez6DHA.2392@TK2MSFTNGP11.phx.gbl...
> > Is there a way to delegate the ability to disable/enable user accounts
> > without also delegating create/delete/manage accounts?
> >
> > -- 
> >
> > Jeff Vandervoort
> > JRVsystems
> > http://jrvsystems.com
> >
> >
>
>

Relevant Pages

  • Re: Account Operators accessing other account operators
    ... Once you are done with that you should move to fully delegated accounts where the exact permissions needed are delegated. ... group and delegate the correct permissions on an OU that applies to the correct objects in that OU. ... the Microsoft Windows domain controller that has the primary domain controller emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Account Disable?
    ... "Jeff Vandervoort" <jeffv @ jrvsystems dot com> wrote in message ... > add and delete accounts. ... >> You can delegate write access to the useraccountcontrol which holds the ...
    (microsoft.public.windows.server.security)
  • Re: Delegate Account Disable?
    ... You can delegate write access to the useraccountcontrol which holds the flag ... -- www.joeware.net "Jeff Vandervoort" <jeffv @ jrvsystems dot com> wrote in message ... > Is there a way to delegate the ability to disable/enable user accounts> without also delegating create/delete/manage accounts? ...
    (microsoft.public.windows.server.security)
  • Re: Permissions to join machine to domain
    ... I'm looking for just a list of ACL/ACE permissions to allow only joining to ... I want to delegate the following control to a group. ... Locked User Accounts: ... 294777 - How to Delegate Group Policy Control to users in Trusted Domain: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Administrator Accounts
    ... Computers can backup and restore domain controllers. ... the domain or you can delegate authority to create users/computer accounts ... and reset passwords for all but privileged group members. ... When you delegate for the domain/OU you can use standard or create ...
    (microsoft.public.security)