• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1621
  • Last Modified:

Active Directory - Ability to disable an account but not enable

Hi EE

Does anyone know if there is a way to grant an account the ability to disable other AD accounts but not be able to enable accounts ?

I am in a 2003 domain functional level
0
MilesLogan
Asked:
MilesLogan
2 Solutions
 
Thomas GrassiSystems AdministratorCommented:
You need to delegate a lot in order to do what you want

I found this that might guide you

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/
0
 
SandeepSr System AdministratorCommented:
I am not sure if this can be achieved as with Delegate control you can grant permissions to modify the user settings which include the overall permission. There is no such specific permission set like disable or enable users in the Delegate control option.
0
 
MilesLoganAuthor Commented:
Thanks for the info , yeah I didn't think it was possible ..
0
 
McKnifeCommented:
Note: it would be possible if you moved those currently disabled accounts to an OU below the OU you are granting disable+enable permissions on if you disabled inheritance of permissions. We don't need to use the delegation of control wizard but ->properties ->security will do it.

Or what is your mission's objective? Grant rights to disable but keep the currently disabled ones from being enabled, no?
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now