Account Operators rights on new accounts

Hi all,

I'm currently running a very standard 2012 R2 Domain with a number of OUs in the structure for different permission levels. We have some  Level 1 Help desk staff in the built-in account operators group so they can setup users and modify existing accounts.

There is a sub OU that I would like them to have only read only access on but it appears even when this is changed changed on the OU holding these accounts, any new accounts created are still given full allow control to the accounts operators group by default.

Does anyone know the reason for this and is it possible to change that from happening to new accounts?



Example Images below:

Structure.PNG
Would like to deny all editing of users under the Service OU by account operators

Permissions-of-group.PNG
Current permissions for the account operators on the Service OU level

user-account.PNG
Current permissions for the account operators on a user under this OU (default permissions for all new accounts) (Inheritance is enabled at all levels)
philpugAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin StanushApplication DeveloperCommented:
I believe the Account Operators is a protected group, so you can't change the permissions, if you do, they revert back.  Account Operators is a built-in group that gives essentially full access to manage accounts except for admin accounts.  What you would need to do is to create a new 'HelpDesk' group, and delegate that group to manage any OU, except for the Service OU, that way you have control over it.
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
You should not use Account Operators group for Level 1 Helpdesk staff. This group is more powerful than what people think.
Do delegation for the exact tasks required

This might be useful
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html

And here is a custom Delegwiz.inf
[Version]
signature="$CHICAGO$"

[DelegationTemplates]

Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70
;---------------------------------------------------------
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage user accounts"

ObjectTypes = SCOPE, user

[template1.SCOPE]
user=CC,DC

[template1.user]
@=GA
;---------------------------------------------------------

;---------------------------------------------------------
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset user passwords and force password change at next logon"

ObjectTypes = user

[template2.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all user information"

ObjectTypes = user

[template3.user]
@=RP

;----------------------------------------------------------
[template4]
AppliesToClasses = organizationalUnit,container

Description = "Create, delete and manage groups"

ObjectTypes = SCOPE, group

[template4.SCOPE]
group=CC,DC

[template4.group]
@=GA

;----------------------------------------------------------


;----------------------------------------------------------
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the membership of a group"

ObjectTypes = group

[template5.group]
member=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS

Description = "Join a computer to the domain"

ObjectTypes = SCOPE

[template6.SCOPE]
computer=CC
;----------------------------------------------------------



;----------------------------------------------------------
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site

Description = "Manage Group Policy links"

ObjectTypes = SCOPE

[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP
;----------------------------------------------------------

;---------------------------------------------------------
[template8]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Planning)"

ObjectTypes = SCOPE

[template8.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)"
;----------------------------------------------------------

;---------------------------------------------------------
[template9]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Generate Resultant Set of Policy (Logging)"

ObjectTypes = SCOPE

[template9.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)"
;----------------------------------------------------------

;---------------------------------------------------------
[template10]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create, delete, and manage inetOrgPerson accounts"

ObjectTypes = SCOPE, inetOrgPerson

[template10.SCOPE]
inetOrgPerson=CC,DC

[template10.inetOrgPerson]
@=GA
;---------------------------------------------------------



;---------------------------------------------------------
[template11]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset inetOrgPerson passwords and force password change at next logon"

ObjectTypes = inetOrgPerson

[template11.inetOrgPerson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------


;----------------------------------------------------------
[template12]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Read all inetOrgPerson information"

ObjectTypes = inetOrgPerson

[template12.inetOrgPerson]
@=RP

;----------------------------------------------------------

;---------------------------------------------------------
[template13]
AppliesToClasses=container

Description = "Create, Delete, and Manage WMI Filters"

ObjectTypes = SCOPE, msWMI-Som

[template13.SCOPE]
msWMI-Som=CC,DC

[template13.msWMI-Som]
@=GA
;----------------------------------------------------------

;---------------------------------------------------------
[template14]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Create an Organizational Unit"

ObjectTypes = SCOPE

[template14.SCOPE]
organizationalUnit=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template15]
AppliesToClasses=domainDNS,organizationalUnit

Description = "Delete a child Organizational Unit"

ObjectTypes = SCOPE

[template15.SCOPE]
organizationalUnit=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template16]
AppliesToClasses=organizationalUnit

Description = "Delete this Organizational Unit"

ObjectTypes = organizationalUnit

[template16.organizationalUnit]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template17]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename an Organizational Unit"

ObjectTypes = organizationalUnit

[template17.organizationalUnit]
ou=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template18]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Description of an Organizational Unit"

ObjectTypes = organizationalUnit

[template18.organizationalUnit]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template19]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify Managed-By Information of an Organizational Unit"

ObjectTypes = organizationalUnit

[template19.organizationalUnit]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template20]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delegate Control of an Organizational Unit"

ObjectTypes = organizationalUnit

[template20.organizationalUnit]
@=WD
;----------------------------------------------------------

;---------------------------------------------------------
[template21]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a group"

ObjectTypes = SCOPE

[template21.SCOPE]
group=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template22]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child group"

ObjectTypes = SCOPE

[template22.SCOPE]
group=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template23]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this group"

ObjectTypes = group

[template23.group]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template24]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a group"

ObjectTypes = group

[template24.group]
cn=WP
name=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template25]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the Pre-Windows 2000 compatible name for the group"

ObjectTypes = group

[template25.group]
sAMAccountName=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template26]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the description of a group"

ObjectTypes = group

[template26.group]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template27]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the scope of the group"

ObjectTypes = group

[template27.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template28]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the type of the group"

ObjectTypes = group

[template28.group]
groupType=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template29]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify notes for a group"

ObjectTypes = group

[template29.group]
info=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template30]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify group membership"

ObjectTypes = group

[template30.group]
member=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template31]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By Information of a Group"

ObjectTypes = group

[template31.group]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template32]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a computer account"

ObjectTypes = SCOPE

[template32.SCOPE]
computer=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template33]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child computer account"

ObjectTypes = SCOPE

[template33.SCOPE]
computer=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template34]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this computer account"

ObjectTypes = computer

[template34.computer]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template35]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a computer account"

ObjectTypes = computer

[template35.computer]
@=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template36]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a computer account"

ObjectTypes = computer

[template36.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template37]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a computer account"

ObjectTypes = computer

[template37.computer]
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template38]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computer's description"

ObjectTypes = computer

[template38.computer]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template39]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify Managed-By information for a computer account"

ObjectTypes = computer

[template39.computer]
managedBy=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template40]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify that a computer account be trusted for delegation"

ObjectTypes = computer

[template40.computer]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template41]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account in disabled state"

ObjectTypes = SCOPE

[template41.SCOPE]
user=CC
;----------------------------------------------------------

;---------------------------------------------------------
[template42]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Create a user account"

ObjectTypes = SCOPE , user

[template42.SCOPE]
user=CC

[template42.user]
userAccountControl=WP
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template43]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete a child user account"

ObjectTypes = SCOPE

[template43.SCOPE]
user=DC
;----------------------------------------------------------

;---------------------------------------------------------
[template44]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Delete this user account"

ObjectTypes = user

[template44.user]
@=SD
;----------------------------------------------------------

;---------------------------------------------------------
[template45]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Rename a user account"

ObjectTypes = user

[template45.user]
cn=WP
name=WP
distinguishedName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template46]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template46.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template47]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Unlock a user account"

ObjectTypes = user

[template47.user]
lockoutTime=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template48]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Enable a disabled user account"

ObjectTypes = user

[template48.user]
userAccountControl=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template49]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Reset a user account's password"

ObjectTypes = user

[template49.user]

CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template50]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Force a user account to change the password at the next logon"

ObjectTypes = user

[template50.user]
CONTROLRIGHT= "Reset Password"
userPassword=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template51]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's display name"

ObjectTypes = user

[template51.user]
adminDisplayName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template52]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user account's description"

ObjectTypes = user

[template52.user]
description=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template53]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's office location"

ObjectTypes = user

[template53.user]
physicalDeliveryOfficeName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template54]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's telephone number"

ObjectTypes = user

[template54.user]
telephoneNumber=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template55]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the location of a user's primary web page"

ObjectTypes = user

[template55.user]
wWWHomePage=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template56]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's UPN"

ObjectTypes = user

[template56.user]
userPrincipalName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template57]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify a user's Pre-Windows 2000 user logon name"

ObjectTypes = user

[template57.user]
sAMAccountName=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template58]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Modify the hours during which a user can log on"

ObjectTypes = user

[template58.user]
logonHours=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template59]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the computers from which a user can log on"

ObjectTypes = user

[template59.user]
userWorkstations=WP
;----------------------------------------------------------

;---------------------------------------------------------
;[template60]
;AppliesToClasses=domainDNS,organizationalUnit,container

;Description = "Set User cannot change password for a user account"

;ObjectTypes = user

;[template60.user]

;CONTROLRIGHT= "Change Password"
;----------------------------------------------------------

;---------------------------------------------------------
[template61]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Password Never Expires for a user account"

ObjectTypes = user

[template61.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template62]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Store Password Using Reversible Encryption for a user account"

ObjectTypes = user

[template62.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template63]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Disable a user account"

ObjectTypes = user

[template63.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template64]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Smart card is required for interactive logon for a user account"

ObjectTypes = user

[template64.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template65]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Account is sensitive and cannot be delegated for a user account"

ObjectTypes = user

[template65.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template66]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Use DES encryption types for this account for a user account"

ObjectTypes = user

[template66.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template67]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Set Do not require Kerberos pre-authentication for a user account"

ObjectTypes = user

[template67.user]
userAccountControl=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template68]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify the date when a user account expires"

ObjectTypes = user

[template68.user]
accountExpires=WP
;----------------------------------------------------------

;---------------------------------------------------------
[template69]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a profile path for a user"

ObjectTypes = user

[template69.user]
profilePath=WP
;----------------------------------------------------------


;---------------------------------------------------------
[template70]
AppliesToClasses=domainDNS,organizationalUnit,container

Description = "Specify a logon script for a user"

ObjectTypes = user

[template70.user]
scriptPath=WP
;----------------------------------------------------------

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philpugAuthor Commented:
Thanks Kevin and Shaun, I thought that is probably the case but I just wanted to get a second point of view, I'll look at moving to a new security group, cheers
0
philpugAuthor Commented:
I just wanted to add that I see an anomaly in the production environment there is a OU that the users inside are not automatically given full rights to the account operators group, in fact the account operators aren't even added to the security permissions on new users created in this OU.

It seems that users in the sub OUs are given full control but for some reason users in the parent OU are exempt, does anyone know why or how a single OU could be exempt when protection for the account operators built-in container is still intact?
0
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Shaun Vermaak (https:#a42416558)
-- Kevin Stanush (https:#a42416501)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
user controls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.