Domain Admin created objects in ADUC can't be edited by Helpdesk

Posted on 2012-08-31
Last Modified: 2012-09-19
I am currently running into an issue where any computer account or user account created in ADUC by a Domain Admin is unable to be edited by anyone with lower privileges than a Domain Admin.  The affected users are members of the Account Operators group.  We have also tried delegating permissions to an OU without success.  Any ideas how I can remedy this situation?

Other pertinent info:

Functional Level: Server 2008 R2

Note: This also occurred prior to the functional level upgrade from 2000 mixed mode.
Question by:automaton64
    LVL 18

    Accepted Solution

    Check the security permissions of those users which are not editable
    Start AD in Advanced Mode and right click users and check security tab- click advanced - Select effective permissions and select you account operators ID/Group and see what permissions are assigned for that object
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Looks like there is missing inheritance on OU objects. Can you verify if Account Operators are available on particular objects which were created ? If not, I would recommend AD reorganization to not use standard built-in groups (they give too much permissions to users). Instead of that please delegate appropriate tasks to your users.

    If you wish, you may follow articles on my blog for that at


    Author Comment

    @sarang_tinguria: In the security tab for the users created by the DA, there is no Account Operators group.  In an account created by anyone below that level, the Account Operator has Full Control.  

    @iSiek:  For some more background, we don't use the built-in Users OU for the users affected.  We have a Users OU that is located under each separate site OU.  For the security of this User's OU, Account Operators have "Create/delete Computer Objects", "Create/delete Group Objects", and "Create/delete User Objects" applied to "This object only".  

    As I type, I think I am figuring out what is going on.  Maybe you guys can help me confirm.  As I dig through the permissions, there are two groups in question, we will call one group "Level3", which the affected users are a member of.  This group is a member of the Account Operators built-in group.  At the top level, as I described above, the Account Operators group has the ability to create objects in this OU, and is applied ONLY to this OU.  As I move down the list of permissions, I see the Level3 group with the following permissions:

    1) "Reset Password" - applied to "Decendant User Objects"
    2) "Read pwdLastSet" - applied to "Decendant User Objects"
    3) "Create Organizational Unit Objects" - applied to "This object and all descendant objects"
    4) "Read lockoutTime" - applied to "Decendant User Objects"
    5) "Read adminDisplayName" - applied to "Decendant User Objects"

    So correct me if I'm wrong, but according to the permissions at the top level, I'm seeing that the Account operators who are also a member of the Level3 group are given the permissions to create the User objects in the OU, and by virtue of being in the Account Operators group, are given Full Control when created.  However, when a Domain Admin creates one, the inheritance set at the top level only propagates the ability for users in the Account Operators group or Level3 group to basically display the users and reset passwords.

    Does this sound correct?

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now