?
Solved

Active Directory - Ability to disable an account but not enable

Posted on 2014-04-24
4
Medium Priority
?
1,420 Views
Last Modified: 2014-04-26
Hi EE

Does anyone know if there is a way to grant an account the ability to disable other AD accounts but not be able to enable accounts ?

I am in a 2003 domain functional level
0
Comment
Question by:MilesLogan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Accepted Solution

by:
Thomas Grassi earned 1000 total points
ID: 40021735
You need to delegate a lot in order to do what you want

I found this that might guide you

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/
0
 
LVL 12

Assisted Solution

by:Sandeep
Sandeep earned 1000 total points
ID: 40022933
I am not sure if this can be achieved as with Delegate control you can grant permissions to modify the user settings which include the overall permission. There is no such specific permission set like disable or enable users in the Delegate control option.
0
 
LVL 2

Author Closing Comment

by:MilesLogan
ID: 40023934
Thanks for the info , yeah I didn't think it was possible ..
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40024283
Note: it would be possible if you moved those currently disabled accounts to an OU below the OU you are granting disable+enable permissions on if you disabled inheritance of permissions. We don't need to use the delegation of control wizard but ->properties ->security will do it.

Or what is your mission's objective? Grant rights to disable but keep the currently disabled ones from being enabled, no?
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question