Domain Admin created objects in ADUC can't be edited by Helpdesk

Posted on 2012-08-31
Medium Priority
Last Modified: 2012-09-19
I am currently running into an issue where any computer account or user account created in ADUC by a Domain Admin is unable to be edited by anyone with lower privileges than a Domain Admin.  The affected users are members of the Account Operators group.  We have also tried delegating permissions to an OU without success.  Any ideas how I can remedy this situation?

Other pertinent info:

Functional Level: Server 2008 R2

Note: This also occurred prior to the functional level upgrade from 2000 mixed mode.
Question by:automaton64
LVL 18

Accepted Solution

Sarang Tinguria earned 1000 total points
ID: 38355922
Check the security permissions of those users which are not editable
Start AD in Advanced Mode and right click users and check security tab- click advanced - Select effective permissions and select you account operators ID/Group and see what permissions are assigned for that object
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38360000
Looks like there is missing inheritance on OU objects. Can you verify if Account Operators are available on particular objects which were created ? If not, I would recommend AD reorganization to not use standard built-in groups (they give too much permissions to users). Instead of that please delegate appropriate tasks to your users.

If you wish, you may follow articles on my blog for that at


Author Comment

ID: 38364379
@sarang_tinguria: In the security tab for the users created by the DA, there is no Account Operators group.  In an account created by anyone below that level, the Account Operator has Full Control.  

@iSiek:  For some more background, we don't use the built-in Users OU for the users affected.  We have a Users OU that is located under each separate site OU.  For the security of this User's OU, Account Operators have "Create/delete Computer Objects", "Create/delete Group Objects", and "Create/delete User Objects" applied to "This object only".  

As I type, I think I am figuring out what is going on.  Maybe you guys can help me confirm.  As I dig through the permissions, there are two groups in question, we will call one group "Level3", which the affected users are a member of.  This group is a member of the Account Operators built-in group.  At the top level, as I described above, the Account Operators group has the ability to create objects in this OU, and is applied ONLY to this OU.  As I move down the list of permissions, I see the Level3 group with the following permissions:

1) "Reset Password" - applied to "Decendant User Objects"
2) "Read pwdLastSet" - applied to "Decendant User Objects"
3) "Create Organizational Unit Objects" - applied to "This object and all descendant objects"
4) "Read lockoutTime" - applied to "Decendant User Objects"
5) "Read adminDisplayName" - applied to "Decendant User Objects"

So correct me if I'm wrong, but according to the permissions at the top level, I'm seeing that the Account operators who are also a member of the Level3 group are given the permissions to create the User objects in the OU, and by virtue of being in the Account Operators group, are given Full Control when created.  However, when a Domain Admin creates one, the inheritance set at the top level only propagates the ability for users in the Account Operators group or Level3 group to basically display the users and reset passwords.

Does this sound correct?

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question