sterlingdev
asked on
Using SELF permissions to deny objects in AD for a Helpdesk
I have been asked to ensure the Helpdesk team members can not edit their own user account properties in AD (2003).
We have one "USERS" OU container of which all of the companies users reside, including the Helpdesk team. The idea is that they can manage everyone elses user account for any reason, apart from their own.
I have been testing using the SELF security permission (on the Security tab) for one of the Helpdesk accounts, with some level of success. I can set it so that it can read but cannot change most of the fields, but the one I have a massive issue with is the "Member of" tab, which regardless of what I do, still allows them to add in membership to whichever group they choose.
Just wondering if anyone has had to do something similar and how you acheived it. Thanks.
We have one "USERS" OU container of which all of the companies users reside, including the Helpdesk team. The idea is that they can manage everyone elses user account for any reason, apart from their own.
I have been testing using the SELF security permission (on the Security tab) for one of the Helpdesk accounts, with some level of success. I can set it so that it can read but cannot change most of the fields, but the one I have a massive issue with is the "Member of" tab, which regardless of what I do, still allows them to add in membership to whichever group they choose.
Just wondering if anyone has had to do something similar and how you acheived it. Thanks.
ASKER
If you do an explicit Deny in that way, login problems occur and you cannot change your own password when it expires.
What account properties are you looking to prevent the Help Desk users from modifying on their own accounts?
ASKER
The "Member of" tab, from what I have tried it doesn't seem possible. If you have any rights to do anything within AD Users and Computers it seems that the "member of" tab is exposed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dave, I gave up on this in the end, we have an IT consultant who is coming in to help with this as I could not get it to work correct.
I found it impossible to restrict the view of Members Of tab, and even if I could they would still be able "programitically" to get around it anyway.
Thanks anyway
I found it impossible to restrict the view of Members Of tab, and even if I could they would still be able "programitically" to get around it anyway.
Thanks anyway
It could just be me, but I never muck around with SELF and other built-in/system account permissions. If I use a different account, then I can back out any changes I made without impacting the pre-existing permissions structure.