I have a user I want to be able to disable or enable other domain user accounts without giving that user to much permissions. I spent some time Googling and on Microsoft’s support site and couldn’t find a specific permission that allowed just that. I found one that allows you to delegate the ability to unlock a user account. After playing with this for a couple of hours I grew to appreciate the complexity and power Active Directory gives an administrator over a domain. What I finally ended up using was a permission that allows for the user to enable/disable as well as change anything in the account options window on the Account tab. A bit more than I wanted to give, but not a problem in my case.
Right-click your domain and select delegate control. The delegate control wizard starts, click next to begin. Next select the users or groups that you want to delegate the responsibility to. In my case I have a group called “DisableEnableUsers” that I want to give the ability to disable/enable user accounts.
Next select create custom task to delegate radio button and hit next. On the “Delegate control of:” dialog select “Only the following objects” and scroll down to “User Objects” hit next. Put a check in the “General” box on the “Show these permissions:” window. Scroll down to the “Read and Write Account Restrictions.” Hit next and finish.
Now the users and or groups you delegated control to “Read and Write Account Restrictions” will be able to disable or enable user accounts.
This is great, many thanks!
Why doesn’t Microsoft document this option more? It is so hard to find information about the properties you can use with Delegation of Control…
Somekind of templates to common purposes would be nice too. Now it is needed to think. And that’s baad. ;)
In my case i have a group which is dedicated to helpdesk and it should be restricted what comes to deletion of users but still needed to enable / disable accounts.
This was usefull little article even if delegation of administrative rights is been heavily used as knowing that “Read and Write Account Restrictions.” is needed to enable /disable account is not too obvious.. . .
“Read and Write Account Restrictions.” is needed to enable /disable account is not too obvious.. . .
enabled this and it worked!
Thnx
i want to delegate control for enableing and disabling computers how to do this????????????
This worked and saved me from a half hour of digging. Thank you.