I have been asked to ensure the Helpdesk team members can not edit their own user account properties in AD (2003).
We have one "USERS" OU container of which all of the companies users reside, including the Helpdesk team. The idea is that they can manage everyone elses user account for any reason, apart from their own.
I have been testing using the SELF security permission (on the Security tab) for one of the Helpdesk accounts, with some level of success. I can set it so that it can read but cannot change most of the fields, but the one I have a massive issue with is the "Member of" tab, which regardless of what I do, still allows them to add in membership to whichever group they choose.
Just wondering if anyone has had to do something similar and how you acheived it. Thanks.