Using SELF permissions to deny objects in AD for a Helpdesk

I have been asked to ensure the Helpdesk team members can not edit their own user account properties in AD (2003).

We have one "USERS" OU container of which all of the companies users reside, including the Helpdesk team. The idea is that they can manage everyone elses user account for any reason, apart from their own.

I have been testing using the SELF security permission (on the Security tab) for one of the Helpdesk accounts, with some level of success. I can set it so that it can read but cannot change most of the fields, but the one I have a massive issue with is the "Member of" tab, which regardless of what I do, still allows them to add in membership to whichever group they choose.

Just wondering if anyone has had to do something similar and how you acheived it. Thanks.
sterlingdevAsked:
Who is Participating?
 
dave_itConnect With a Mentor Commented:
Just thinking out loud here...  I'd put the Help Desk user objects into a separate OU.  Then, use the Delegation wizard in ADU&C to explicitly deny the Help Desk Users group the right to modify the MemberOf attribute on that OU.

I don't have the ability to test this right now, so caveat emptor.  But there is a way to do what you have been tasked to do, I or someone else here will get you there. :)
0
 
dave_itCommented:
Instead of trying to limit SELF, have you tried applying explicit "Deny" permissions with the Help Desk user's ID to the same account?

It could just be me, but I never muck around with SELF and other built-in/system account permissions.  If I use a different account, then I can back out any changes I made without impacting the pre-existing permissions structure.
0
 
sterlingdevAuthor Commented:
If you do an explicit Deny in that way, login problems occur and you cannot change your own password when it expires.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
dave_itCommented:
What account properties are you looking to prevent the Help Desk users from modifying on their own accounts?
0
 
sterlingdevAuthor Commented:
The "Member of" tab, from what I have tried it doesn't seem possible. If you have any rights to do anything within AD Users and Computers it seems that the "member of" tab is exposed.
0
 
sterlingdevAuthor Commented:
Thanks Dave, I gave up on this in the end, we have an IT consultant who is coming in to help with this as I could not get it to work correct.

I found it impossible to restrict the view of Members Of tab, and even if I could they would still be able "programitically" to get around it anyway.

Thanks anyway
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.