Your environment security policies require that you control the ability to Unix-enable and disable an AD account.
1. Permissions required for Unix-enabling an AD Account.
"Write" access to the following attributes for a user account:
2. Once an AD Account is Unix-enabled, to disable them (which means set their shell to /bin/false), they need write access to loginShell attribute.
To modify attributes the user or group needs "write" access (for example someone can have rights just to modify gecos for users).