M
Mikael Oskarsson
My customer wants to let Members of Account Operators
Manage All other Account Operators
Is it possible?
Regards
Manage All other Account Operators
Is it possible?
Regards
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Members of Account Operators Group Cannot Manage All User Accounts
M
Matjaz Ladava [MVP]
You can group your AccountOperators in one OU, and then delegate full
control to that OU to AccountOperators. Because AccountOperators users are
also protected by AdminSDHolder object, you will probably have to alter that
object allso
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;232199
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
control to that OU to AccountOperators. Because AccountOperators users are
also protected by AdminSDHolder object, you will probably have to alter that
object allso
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;232199
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
J
Joe Richards [MVP]
You can do it unless you modify adminsdholder which would also give account ops the ability to manipulate your
administrator ID's as well. So the feasible answer is no, not natively. You could write up some proxy system of handling
it like writing a COM+ object running in an administrative context that does that work.
administrator ID's as well. So the feasible answer is no, not natively. You could write up some proxy system of handling
it like writing a COM+ object running in an administrative context that does that work.
J
Joe Richards [MVP]
You know I just realized there is a way you could pull this off. Create the separate OU like Matjaz recommends and set
up the acc op delegation there and then modify the adminsdholder object to have inheritance... I would not recommend
this though as that inheritance being turned off is to protect you in case somehow an admin ID gets moved into an OU
where some normal person has full user delegation given to them or one of several critical attributes delegated to their
control because they could manipulate the admin ID and gain control of the directory.
--
Joe Richards
www.joeware.net
up the acc op delegation there and then modify the adminsdholder object to have inheritance... I would not recommend
this though as that inheritance being turned off is to protect you in case somehow an admin ID gets moved into an OU
where some normal person has full user delegation given to them or one of several critical attributes delegated to their
control because they could manipulate the admin ID and gain control of the directory.
--
Joe Richards
www.joeware.net