Account Operators Group
in [Active Directory]
|
From: mpatraw_EPIC_Imaging on 28 May 2008 19:09 I have 5 users in the Account Operators Group. They can administer only a few of the 250+ user accounts in AD. On the accounts they can administer the Account Operators group is listed in the security tab of the user object. Account Operators is not listed on the security tab of the user objects which are not available to administer. I have 2 questions: 1. How is the Built In group (Account Operators) not listed in the security tab of all user objects? 2. Is there an easy fix for this, or a script that I can modify users security ACE to add account operators group. Keeping in mind I wouldn't want to add them to other Built In groups such Exterprise Admins, Domain Admins, etc...
From: Richard Mueller [MVP] on 28 May 2008 20:56 "mpatraw_EPIC_Imaging" <mpatrawEPICImaging(a)discussions.microsoft.com> wrote in message news:78D612E2-1055-4C02-B0B0-D0A5022E8523(a)microsoft.com... >I have 5 users in the Account Operators Group. They can administer only a > few of the 250+ user accounts in AD. On the accounts they can administer > the > Account Operators group is listed in the security tab of the user object. > Account Operators is not listed on the security tab of the user objects > which > are not available to administer. > > I have 2 questions: > > 1. How is the Built In group (Account Operators) not listed in the > security > tab of all user objects? > > 2. Is there an easy fix for this, or a script that I can modify users > security ACE to add account operators group. Keeping in mind I wouldn't > want > to add them to other Built In groups such Exterprise Admins, Domain > Admins, > etc... When a user object is created, I believe the system adds an ACE that grants the group BUILTIN\Account Operators full control of the object. The only explanation I can think of is that someone removed the ACE's. I have never seen a user object without this ACE, except members of Domain Admins. A VBScript program can check for the ACE in the DACL of the user, and add it if it is not found. The technique would be similar to that used in this example VBScript program that adds ACE's that deny permission for the user to change their password: http://www.rlmueller.net/Cannot%20Change%20PW.htm I have to think about a script for this. One added feature is that you probably want a script to operate on all users in bulk, but only modify those without the ACE. I would certainly test on a few users, before running a script on all users. Also, the Administrator user does not have this ACE, and should not. I wonder what other users should not. Even users that are members of the builtin Administrators have the ACE, but not members of Domain Admins. Further research is needed, which may be difficult. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
From: Richard Mueller [MVP] on 28 May 2008 21:13 Does this article explain what you see: http://support.microsoft.com/kb/245174 Per the article Account Operators cannot manage users that are members of the following restricted groups: Account Operators Administrators Backup Operators Print Operators Server Operators Domain Admins If you have users that are not members of any of these groups, even due to group nesting, and lack the ACE, then you have a problem. However, any program to fix it must check each user for membership in any of these groups, or any other groups that are members of these groups. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
From: Herb Martin on 29 May 2008 00:45 "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote in message news:uaxO7kSwIHA.6096(a)TK2MSFTNGP06.phx.gbl... > Does this article explain what you see: > > http://support.microsoft.com/kb/245174 > > Per the article Account Operators cannot manage users that are members of > the following restricted groups: > > Account Operators > Administrators > Backup Operators > Print Operators > Server Operators > Domain Admins > > If you have users that are not members of any of these groups, even due to > group nesting, and lack the ACE, then you have a problem. However, any > program to fix it must check each user for membership in any of these > groups, or any other groups that are members of these groups. I was going to mention this. And as to the delegation of authority, it can be performed for this group or others using either Permission tabs or the delegation of control wizard (right click on domain or OU.)
From: mpatraw_EPIC_Imaging on 29 May 2008 11:25 Richard, Thanks for the response. I read this article, but I guess I didn't check every group. I just checked and all of the users that are not able to be administered by Account Operators are part of the Print Operators group. I'm not sure how that happened. I guess it's possible that a new user being created by copying an existing user, some of those copied users had print operators and were just not removed after being created. Question. If I remove those users from Print Operators, should they they regain the security ACE for Account Operators? I will test a few.. "Richard Mueller [MVP]" wrote: > Does this article explain what you see: > > http://support.microsoft.com/kb/245174 > > Per the article Account Operators cannot manage users that are members of > the following restricted groups: > > Account Operators > Administrators > Backup Operators > Print Operators > Server Operators > Domain Admins > > If you have users that are not members of any of these groups, even due to > group nesting, and lack the ACE, then you have a problem. However, any > program to fix it must check each user for membership in any of these > groups, or any other groups that are members of these groups. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > >
|
Next
|
Last
Pages: 1 2 3 4 Prev: windows 2008 machine joining problem Next: cannot join WinXP to Windows 2000 domain |