The question is “How do I delegate enabling and disabling Active Directory accounts?”. Unfortunately, these specific operations cannot be individually delegated. The flag that indicates whether a user is enabled or disabled is part of a bitmask called userAccountControl. The vast majority of options in this bitmask are the checkboxes that you see on the account tab of ADUC:
The complete list of what’s stored in the bitmask (copied out of the iads.h header) is below. Most of them should be fairly self explanatory but this MSDN article explains them all. The numbers are the bit which represents this value in the mask (in hex):
- ADS_UF_SCRIPT = 0x1
- ADS_UF_ACCOUNTDISABLE = 0x2
- ADS_UF_HOMEDIR_REQUIRED = 0x8
- ADS_UF_LOCKOUT = 0x10
- ADS_UF_PASSWD_NOTREQD = 0x20
- ADS_UF_PASSWD_CANT_CHANGE = 0x40
- ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80
- ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100
- ADS_UF_NORMAL_ACCOUNT = 0x200
- ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800
- ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000
- ADS_UF_SERVER_TRUST_ACCOUNT = 0x2000
- ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
- ADS_UF_MNS_LOGON_ACCOUNT = 0x20000
- ADS_UF_SMARTCARD_REQUIRED = 0x40000
- ADS_UF_TRUSTED_FOR_DELEGATION = 0x80000
- ADS_UF_NOT_DELEGATED = 0x100000
- ADS_UF_USE_DES_KEY_ONLY = 0x200000
- ADS_UF_DONT_REQUIRE_PREAUTH = 0x400000
- ADS_UF_PASSWORD_EXPIRED = 0x800000
- ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x1000000
Why list all these options? If you delegate a user rights to modify the userAccountControl attribute, you give them rights to set all these other options. If you’re comfortable with this, the steps below show you how to delegate access to the userAccountControl attribute.
In this example, we will grant a group called User Admins rights to modify the userAccountControl attribute on all User objects in the Sales OU. As always, it’s a best practice to never delegate a right to a user but rather to delegate a right to a security group which the user is a member of.
- Launch ADSI Edit – start>run>adsiedit.msc
- Browse to the Sales OU and open the properties of the OU.
- Select the security tab and then click Advanced.
- Click Add and enter the name of the group (“User Admins”). At this point your screen should look similar to the following image:
- Click OK and then switch to the Properties tab of the ACL editor dialog.
- Select “User objects” from the Apply onto dropdown.
- Scroll down to the userAccountControl entry.
- Check the Allow checkboxes for Read userAccountControl and Write userAccountControl (technically the Read right is not necessary but I’ve chosen to include it in case default permissions have been modified elsewhere).