remove 'delete a user account' permissions from an Account Operato

In Active Directory, I have two types of users in the same OU. Administrators
and Account Operators are in the same OU.

My question is: How can I remove 'delete a user account' permissions from an
Account Operator without affecting the rights of the administrators ??

Note: I dont want to use two different OUs, I want to keep both types of
users in the same OU and make some changes to the rights of the Account
Operators.

thanks in advance for any help or hints..

When you delegate rights you do so to an OU and the objects it contains.
Who you delegate rights to (or remove from) is done per user or group of
users and it doesn't matter what OU their accounts reside in. When you
delegate rights to an OU that has user accounts in it that are members of
the Administrators and Account Operators group, the rights you delegate will
get wiped out pretty quickly anyway due to the AdminSD holder process that
active directory performs periodically to protect "special" accounts.

See this article to explain what the AdminSD holder is all about
<http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx>

"KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
news:39DA9278-818B-4576-9499-AD387CE45464@microsoft.com...
> In Active Directory, I have two types of users in the same OU.
> Administrators
> and Account Operators are in the same OU.
>
> My question is: How can I remove 'delete a user account' permissions from
> an
> Account Operator without affecting the rights of the administrators ??
>
> Note: I dont want to use two different OUs, I want to keep both types of
> users in the same OU and make some changes to the rights of the Account
> Operators.
>
> thanks in advance for any help or hints..

Hi KUMAIL
Try not to add users to groups Groups that are protected by AdminSDHolder.
The Active Directory directory service has a process that makes sure that
members of protected groups do not have their security descriptors
manipulated. If a security descriptor for a user account that is a member of
a protected group does not match the security descriptor on the
AdminSDHolder object, the user's security descriptor is overwritten with a
new security descriptor that is taken from the AdminSDHolder object

Create your own groups and delegate the what you want to delegate to them.
Refer to the following documento for more info about delegation:
How Delegation Works in Active Directory
http://www.microsoft.com/technet/pro...y/actdid3.mspx

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
news:39DA9278-818B-4576-9499-AD387CE45464@microsoft.com...
> In Active Directory, I have two types of users in the same OU.
> Administrators
> and Account Operators are in the same OU.
>
> My question is: How can I remove 'delete a user account' permissions from
> an
> Account Operator without affecting the rights of the administrators ??
>
> Note: I dont want to use two different OUs, I want to keep both types of
> users in the same OU and make some changes to the rights of the Account
> Operators.
>
> thanks in advance for any help or hints..

thanks Jorge Silva
thanks Jeremy

the info you guyz provided helped me allot indeed.

I have one more question please:

I want to create a security group exactly identical to the Account Operator
Group. The only thing I need to disable is "delete user accounts" permission.
Is there a way to copy the rights of the Account Operator and paste them to
my custom security group ?

also, where can I find the list of all permissions (in the delegate control
wizard) with their explanations ?

Thanks again..

This would be a big ask. I guess these must be granted through AD
permissions. My approach would be to search through all the standard AD OUs
and containers and see what permissions were granted to the Account
Operators groups and then apply the same permissions to the same place as
you find Account Operators entries.

I think a better approach would be to simply create new delegations that
grant the tasks that you want. It would be simpler.

"KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
news:81FC4226-6B7C-4EE3-97A0-69AEA00B973C@microsoft.com...
>
> thanks Jorge Silva
> thanks Jeremy
>
> the info you guyz provided helped me allot indeed.
>
> I have one more question please:
>
> I want to create a security group exactly identical to the Account
> Operator
> Group. The only thing I need to disable is "delete user accounts"
> permission.
> Is there a way to copy the rights of the Account Operator and paste them
> to
> my custom security group ?
>
> also, where can I find the list of all permissions (in the delegate
> control
> wizard) with their explanations ?
>
> Thanks again..
>

thanks Jeremy,

Then I will go with the simpler way. I will simply create new delegations
that
grant the tasks I want.

I couldn't find a manual or a list that contain all the tasks and thier
meaning or explanation. Any Idea where can I find such thing in order to know
what each task eaxctly mean ?

thanks

"Jeremy" wrote:

> This would be a big ask. I guess these must be granted through AD
> permissions. My approach would be to search through all the standard AD OUs
> and containers and see what permissions were granted to the Account
> Operators groups and then apply the same permissions to the same place as
> you find Account Operators entries.
>
> I think a better approach would be to simply create new delegations that
> grant the tasks that you want. It would be simpler.
>
> "KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
> news:81FC4226-6B7C-4EE3-97A0-69AEA00B973C@microsoft.com...
> >
> > thanks Jorge Silva
> > thanks Jeremy
> >
> > the info you guyz provided helped me allot indeed.
> >
> > I have one more question please:
> >
> > I want to create a security group exactly identical to the Account
> > Operator
> > Group. The only thing I need to disable is "delete user accounts"
> > permission.
> > Is there a way to copy the rights of the Account Operator and paste them
> > to
> > my custom security group ?
> >
> > also, where can I find the list of all permissions (in the delegate
> > control
> > wizard) with their explanations ?
> >
> > Thanks again..
> >
>

No I've never seen such a thing. There is a really involved delegation
guide from MS, but it is a bit overblown and difficult to understand.
http://www.microsoft.com/downloads/d...displaylang=en

"KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
news:286360D0-C711-4607-9F1E-9A94FA2F47EB@microsoft.com...
> thanks Jeremy,
>
> Then I will go with the simpler way. I will simply create new delegations
> that
> grant the tasks I want.
>
> I couldn't find a manual or a list that contain all the tasks and thier
> meaning or explanation. Any Idea where can I find such thing in order to
> know
> what each task eaxctly mean ?
>
> thanks
>
> "Jeremy" wrote:
>
>> This would be a big ask. I guess these must be granted through AD
>> permissions. My approach would be to search through all the standard AD
>> OUs
>> and containers and see what permissions were granted to the Account
>> Operators groups and then apply the same permissions to the same place as
>> you find Account Operators entries.
>>
>> I think a better approach would be to simply create new delegations that
>> grant the tasks that you want. It would be simpler.
>>
>> "KUMAIL" <KUMAIL@discussions.microsoft.com> wrote in message
>> news:81FC4226-6B7C-4EE3-97A0-69AEA00B973C@microsoft.com...
>> >
>> > thanks Jorge Silva
>> > thanks Jeremy
>> >
>> > the info you guyz provided helped me allot indeed.
>> >
>> > I have one more question please:
>> >
>> > I want to create a security group exactly identical to the Account
>> > Operator
>> > Group. The only thing I need to disable is "delete user accounts"
>> > permission.
>> > Is there a way to copy the rights of the Account Operator and paste
>> > them
>> > to
>> > my custom security group ?
>> >
>> > also, where can I find the list of all permissions (in the delegate
>> > control
>> > wizard) with their explanations ?
>> >
>> > Thanks again..
>> >
>>