• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1685
  • Last Modified:

Active Directory - Ability to disable an account but not enable

Hi EE

Does anyone know if there is a way to grant an account the ability to disable other AD accounts but not be able to enable accounts ?

I am in a 2003 domain functional level
0
MilesLogan
Asked:
MilesLogan
2 Solutions
 
Thomas GrassiSystems AdministratorCommented:
You need to delegate a lot in order to do what you want

I found this that might guide you

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/
0
 
SandeepSr System AdministratorCommented:
I am not sure if this can be achieved as with Delegate control you can grant permissions to modify the user settings which include the overall permission. There is no such specific permission set like disable or enable users in the Delegate control option.
0
 
MilesLoganAuthor Commented:
Thanks for the info , yeah I didn't think it was possible ..
0
 
McKnifeCommented:
Note: it would be possible if you moved those currently disabled accounts to an OU below the OU you are granting disable+enable permissions on if you disabled inheritance of permissions. We don't need to use the delegation of control wizard but ->properties ->security will do it.

Or what is your mission's objective? Grant rights to disable but keep the currently disabled ones from being enabled, no?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now