Using SELF permissions to deny objects in AD for a Helpdesk

I have been asked to ensure the Helpdesk team members can not edit their own user account properties in AD (2003).

We have one "USERS" OU container of which all of the companies users reside, including the Helpdesk team. The idea is that they can manage everyone elses user account for any reason, apart from their own.

I have been testing using the SELF security permission (on the Security tab) for one of the Helpdesk accounts, with some level of success. I can set it so that it can read but cannot change most of the fields, but the one I have a massive issue with is the "Member of" tab, which regardless of what I do, still allows them to add in membership to whichever group they choose.

Just wondering if anyone has had to do something similar and how you acheived it. Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Instead of trying to limit SELF, have you tried applying explicit "Deny" permissions with the Help Desk user's ID to the same account?

It could just be me, but I never muck around with SELF and other built-in/system account permissions.  If I use a different account, then I can back out any changes I made without impacting the pre-existing permissions structure.
sterlingdevAuthor Commented:
If you do an explicit Deny in that way, login problems occur and you cannot change your own password when it expires.
What account properties are you looking to prevent the Help Desk users from modifying on their own accounts?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

sterlingdevAuthor Commented:
The "Member of" tab, from what I have tried it doesn't seem possible. If you have any rights to do anything within AD Users and Computers it seems that the "member of" tab is exposed.
Just thinking out loud here...  I'd put the Help Desk user objects into a separate OU.  Then, use the Delegation wizard in ADU&C to explicitly deny the Help Desk Users group the right to modify the MemberOf attribute on that OU.

I don't have the ability to test this right now, so caveat emptor.  But there is a way to do what you have been tasked to do, I or someone else here will get you there. :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sterlingdevAuthor Commented:
Thanks Dave, I gave up on this in the end, we have an IT consultant who is coming in to help with this as I could not get it to work correct.

I found it impossible to restrict the view of Members Of tab, and even if I could they would still be able "programitically" to get around it anyway.

Thanks anyway
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.