[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1576
  • Last Modified:

Active Directory - Ability to disable an account but not enable

Hi EE

Does anyone know if there is a way to grant an account the ability to disable other AD accounts but not be able to enable accounts ?

I am in a 2003 domain functional level
0
MilesLogan
Asked:
MilesLogan
2 Solutions
 
Thomas GrassiSystems AdministratorCommented:
You need to delegate a lot in order to do what you want

I found this that might guide you

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/
0
 
SandeepSr System AdministratorCommented:
I am not sure if this can be achieved as with Delegate control you can grant permissions to modify the user settings which include the overall permission. There is no such specific permission set like disable or enable users in the Delegate control option.
0
 
MilesLoganAuthor Commented:
Thanks for the info , yeah I didn't think it was possible ..
0
 
McKnifeCommented:
Note: it would be possible if you moved those currently disabled accounts to an OU below the OU you are granting disable+enable permissions on if you disabled inheritance of permissions. We don't need to use the delegation of control wizard but ->properties ->security will do it.

Or what is your mission's objective? Grant rights to disable but keep the currently disabled ones from being enabled, no?
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now