AD / Account creation QUESTION...

bran2235 · Jun 18, 2007

Hello all-

I am in the middle of locking down permissions (for my user support group- we have an OU mysterically disappear over the weekend!!!)..

Anyways, my question is How do I allow these individuals the ability to CREATE accounts but NOT DELETE Accounts?

There is a AD group titled AccountCreators in AD... is this the group I want to place them in? Originally, these folks were "Domain Admin" Group members... obviously, NOT ANYMORE!

Many Thanks!
Brandon

IllogicallyLogical · Jun 18, 2007

I believe you can control this through the Delegation of Control Wizard in Active Directory. You would create a custom task to delegate and give the ability to create user objects, but not give them the ability to delete them.

- Step-by-Step Guide to Using the Delegation of Control Wizard

http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/ctrlwiz.mspx

Delegating control of custom tasks is towards the bottom of this article.

Joey
A+, Network+, MCP

scottew · Jun 18, 2007

Create an OU for the support users.

Highlight the OU and click on ACTION then DELEGATE control.

Add the users you wish to delegate control.
Check the box to Create custom task to delegate.

Then you can choose which objects to delegate control and let them either create and/or delete.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

AD / Account creation QUESTION...

bran2235

IS-IT--Management

IllogicallyLogical

Technical User

scottew

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor