Allow specific users to enable/disable accounts

  • Thread starter Thread starter Matt Payton
  • Start date Start date
M

Matt Payton

I want to allow specific users to enable or disable user accounts in
specific OU's...Resetting passwords is also OK.

I work at a hospital, and we have *many* vendors that need to access our
network remotely for support at all hours. We keep the vendors' user
accounts disabled until they need access. But currently the late night
Help Desk personnel don't have rights to enable/disable user accounts.
So, if an account needs to be enabled, the on-call tech ( who all have
this ability ) has to be paged, they have to dial/vpn in, and enable the
account. I'd like to give the overnight staff the ability to do that,
but not much else.

A little more info :
Win2k domain controllers in Native mode.
All vendor accounts are in their own OU.

I've tried delegating control, but haven't gotten it to work...At least
not without allowing the users too much access in the OU. For example,
I'd don't want them to be able to create or delete accounts, or to play
with group membership...Just enable an account that has been disabled.
BTW, I followed the instructions outlined here :
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952

Is there a way, via a Group Policy, to allow a group of users to do this
? Or is there a better way ?

Any advice/info is appreciated.
 
In ADUC highlight the OU that you want to make the permission changes
against, right click it and then click "Delegate Control" then just
following the onscreen directions. Its very simple.

Philip Nunn
 
Philip said:
In ADUC highlight the OU that you want to make the permission changes
against, right click it and then click "Delegate Control" then just
following the onscreen directions. Its very simple.
Click to expand...

Yeah, I've done that, as I said in my original post. The problem is
that there is no option there for *just* enabling/disabling users. The
closest one is "unlock". But the accounts aren't locked, they're
disabled. Which AFAIK is different.
As I said, I don't want the users to have *too* much control, only
access to what they specifically need, nothing more.
Using the Delegate Control "Wizard" is close, but doesn't meet my needs.
I was just wondering if there were a better way...Possibly something
via a GPO.
 
Jo wrote:

accounts, or to play


has been disabled.


of users to do this


You can do a lot with customized mmc taskpads. Look at
this article:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;321143&Product=win2000
Click to expand...

That helps, thanks. But I still need to restrict the user to only the
specific rights I want to give them...If they're smart enough to run mmc
and add the Users + Computers snap in, they'll have access to more.
 
Back
Top