Re: Custom Delegation in AD

From: kusdjeff (
Date: 09/27/04

Date: Mon, 27 Sep 2004 09:37:02 -0700

You said that you cannot set that natively. Is there any way that you can do

Thanks, Jeff

"Joe Richards [MVP]" wrote:

> You can't natively. The delegation has to be to the entire attribute or not at all.
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> kusdjeff wrote:
> > I have a question about AD delegation. I am in the process of creating an AD
> > custom delegation (modifying the delegwiz.inf). I am able to set all the
> > rights for my environment except one. How do I enable (delegate) my users
> > the ability to enable/disable accounts. I understand that there is a
> > 'userAccountControl' option, but this grants too many rights. I only want my
> > users the ability to enable/disable accounts without affecting other rights
> > such as "Password Never Expires" and "User Cannot Change Password". How do I
> > go about doing this??
> >
> > Thanks in advance, Jeff

Relevant Pages