0 votes

We have a customized the help desk security role to allow only resetting passwords and unlocking accounts. We don't want them to be able to enable accounts that are disabled. I don't see an option for denying write of the property "Account is disabled" or "Useraccountcontrol" or "ms-ds-user-account-disabled". Is it possible to prevent the user from writing to certain "account options"? It seems that its an all or nothing setting.

by (480 points)

1 Answer

0 votes
by (162k points)

Hello Mark,

Unfortunately, it is not possible to disallow users to modify only specific Account Options flags as it is a single property.

As a solution, you can use a Business Rule triggering Before enabling a user account that will cancel the operation if it is performed by a Help Desk user. The rule will look like the following: image.png

0

Thanks! That will work!

Related questions

0 votes
1 answer

I have setup a form to allow HR to edit some details on AD accounts. Currently the scope is limted to only AD object under one pre-chosen OU. The other option is an ldap filter. How can I allow this action to display user accounts from two seperate OU

asked Nov 18 by ice-dog (940 points)
0 votes
1 answer

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (5.5k points)
0 votes
0 answers

Hi, how can I change Help Desk to something a little more specific like "Onboarding Portal"? Or a bit more catchy that our HR will like rather then see Help Desk in the left hand corner.

asked Oct 9 by 6FigureMission (710 points)
0 votes
0 answers

Using the Adaxes Administration Console, you can perform bulk update of AD users in several ways: Using the Add or Modify Property Wizard: Select the AD users you need in ... multiple user and computer accounts, add users or contacts to a group in bulk, etc.

asked Apr 28, 2009 by Support (213k points)
0 votes
1 answer

How can I allow manager of distribution group to edit just email aliases (proxy addresess) of that group? Not the primary SMTP address.

asked Nov 19 by KIT (1.1k points)
2,031 questions
1,806 answers
5,156 comments
1,018 users