3

I want users of an OU to have access to enable and disable user accounts in their own OU.

I believe in order to do this I need to grant the Read and Write userAccountControl property to the SELF security principal of the OU in question like so: enter image description here

I want to make sure I'm doing this right. Will they need any other permissions in order to enable and disable accounts? They are actually going to be running a program that is directly modifying the AccountDisabled attribute.

red888
  • 4,183
  • 18
  • 64
  • 111
  • To clarify: do you want _any_ user in this OU to be able to do this, or are you trying to set up specific managers for that OU? – Joel Coel Dec 17 '15 at 17:47
  • I want any user in the OU to be able to do this. – red888 Dec 17 '15 at 18:06
  • 1
    `Users` isn't an OU, it's a container. Are you sure this is the target object that you want to give users access to? This is the container that all user objects are created in by default and is also the home for several AD specific users and groups (such as the Domain Admins group and the Administrator user account). – joeqwerty Dec 17 '15 at 18:19
  • This is an OU named users and its not the one I actually want to do this on. I just want to know if the permissions assignment I'm asking about will do what I think it will do. – red888 Dec 17 '15 at 18:22
  • OK, this must be a child OU of another OU then, right? – joeqwerty Dec 17 '15 at 19:50
  • Not necessarily I may want to do this on a top level OU. – red888 Dec 17 '15 at 19:52
  • Sorry, I got you off track. I assumed that your screenshot was of the Users container and when you said that it was an OU I only meant that it must be a child OU because the default Users container and an OU named Users can't co-exist at the root of the domain. I didn't mean to imply anything about where in the tree you could do this. – joeqwerty Dec 17 '15 at 20:28

0 Answers0