Hi Joe
I created two group with rights:
1) USR-C group with rights:
.. Create, modify and delete user accounts (task: create, delete, and manage
user account)
.. Set rights via ADSI Edit - deny write userAccountControl in User objects
.. Remove rights - Modify Permissions and Modify Owner
2) USR-F group with rights:
.. Create, modify and delete user accounts (task: create, delete, and manage
user account)
.. Remove rights - Modify Permissions and Modify Owner
So USR-F and USR-C couldn't change permission in AD
Both groups may create user in AD but:
- if people with rights USR-C create new user account is disable and
couldn't enable because deny rights on userAccountControll attribut
- if people with rights USR-F create new user account is enable
Is allow write access to userAccountControll nessecary to create enable
users ?
I would like give rights to create user account but only Domain Admins
should have rights to set up e.g pasword never expired so I removed rights
on userAccountControll
Have a nice day,
Michal
Joe Richards said:
Because when you have a password policy the default creation of userids is
as disabled, that is how the system works.
Also note that if you give them full control any time they want to they
can go back and change the ACL and give
themselves the ability to modify the userAccountControl. Right now you
simply have security by obscurity.
