Hello there-
We are running 2003 domain functional level.
I got a request to secure an OU and the user objects within, to be used for terminated users... The idea is to
1. prevent anyone (except for one custom security group) from being able to enable users after they have been disabled (even account operators and DAs shouoldn't be able to enable the disabled users by default)
2. we also don't want the operation above to affect the ability to send email messages to this disabled user
3. and we still want users to be able to lookup the user account in ADUC, read all attributes (except the enabled/disabled status-if possible)
Here is my experience:
Taking ownership of the user object and setting up "deny all" permission for "everyone" group seems to take care of the first point, because then only "owner" is able to see/modify the security permissions for that users
object which is good BUT the issue with that exchange will disconnect the mailbox most probably beause it is unable to read the user attaributes! and noone can view the user object attribute in ADUC (in fact even the user icon will change in AD!)
I tried different scenarios like:
- Take ownership of user object, setup "deny all" Except "Read" permission, I noticed just by leaving the Read permission unckeched any user/group who has full access rights on the user object can modify the security
settings and/or take ownership (that's when I realized it doesn't take most restrictive permissions!)
I am looking for the shortest most reliable with easy roll back methos to achieve this ... can you please help?
Ali Beeai