Deny Enable / Disable user permission in AD

LMS 156 Reputation points
2021-01-12T06:40:19.833+00:00

Hi

We have delegated the service desk all user management tasks. Now the management asks to revert enable / disable user accounts permission for the service desk. When we remove the permission "Write userAccountControl", we are getting warning saying there will 180 properties will be modified, also all the properties are showing one by one in Advanced security tab. So how can we apply deny Enable / disable user accounts permission with Service desk?

Thanks in advance

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
0 comments No comments
{count} votes

Accepted answer
  1. Hannah Xiong 6,281 Reputation points
    2021-01-12T08:57:19.387+00:00

    Hello,

    Thank you so much for posting here.

    According to your description and my understanding, I have tested as shown below.

    Configure the Delegation control for the special user account to have the enable and disable user accounts permission.
    55628-11.png

    55568-12.png

    55629-13.png

    When I tried to remove the permission "Write userAccountControl", there is no warning.

    55722-14.png

    If we would like to delete the delegated enable and disable user accounts permission, we could remove the special user account as shown below.

    55636-15.png

    To deny this permission, we could try the below to check whether it works.

    55676-16.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 35,511 Reputation points
    2021-01-12T08:17:12.127+00:00

    Hi,

    Unfortunately, these kind of operations cannot be individually delegated. The flag that indicates whether a user is enabled or disabled is part of a bitmask called userAccountControl which controls various other properties of a user account.


    Please don't forget to mark helpful reply as answer


  2. LMS 156 Reputation points
    2021-01-12T08:40:55.647+00:00

    Thank You

    Is there a way to deny only enable / disable users to the service desk?

    0 comments No comments

  3. LMS 156 Reputation points
    2021-01-12T12:53:24.323+00:00

    Thanks Hannah

    We have denied "userAccountControl" with service desk admins and it looks fine. Will monitor how this affect while they create / modify users ....

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.