Return
-
Title
What are the permissions required for a user to be able to Unix-enable and disable an an account in Active Directory Users and Computers? -
Description
Your environment security policies require that you control the ability to Unix-enable and disable an AD account.
-
Resolution
1. Permissions required for Unix-enabling an AD Account.
"Write" access to the following attributes for a user account:
uidNumber
gidNumber
gecos
unixHomedirectory
loginShell
2. Once an AD Account is Unix-enabled, to disable them (which means set their shell to /bin/false), they need write access to loginShell attribute.
To modify attributes the user or group needs "write" access (for example someone can have rights just to modify gecos for users).