Create Active Directory User accounts
|
Create User Objects
To create the account enabled, you must have the ability to Read/Write
the userAccountControl property. To create with the password expired, you
must be able to Read/Write the Account Restrictions property set (includes
the userAccountControl property).
|
Delete Active Directory User accounts
|
Delete User Objects
|
Update Active Directory User accounts
|
|
Change/Reset AD User account passwords
Unlock AD User accounts
Expire AD User accounts
|
User Object permissions:
-
List Contents
-
Read All Properties
-
Read Permissions
-
Change Password
-
Reset Password
User Property permissions:
-
Read/Write lockoutTime Property
-
Read/Write Account Restrictions Property set
-
Read accountExpires Property
To set permissions
for the lockoutTime property, you should use the cacls.exe program available
in the Windows 2000 Server resource kit.
|