This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Helpdesk from manually Disabling or Enabling accounts

Hi,

I'm trying to force our Helpdesk to always use Deprovision (or Undo Deprovision) to disable/enable accounts. Occasionally they still try to manually revert the Deprovisioning process, causing unwanted account deletions after X days.

How can I block/deny them from using Disable/Enable accounts so they can only use the Deprovision related tasks? I don't mind using explicit Deny templates but I can't seem to get the right attributes included without breaking other functionality (for example, when blocking access to userAccountControl, it has a lot of side affects).

Thanks

Parents
  • In order to disable an account, a Delegated Admin needs to write to the attribute named edsaAccountIsDisabled. If you don't grant write access or block write access to this attribute, then the Delegated Admin will not be able to disable/enable accounts.

  • This is exactly what I was trying, but I don't see this attribute when browsing the User properties in my Access Template. I've selected "Show all possible properties" but it's not showing up in the Object property access list..

    Regarding the other suggestions here - the challenge I have is that we have many organizations in our AD, each in their own OU. Each OU has its own Deprov policies with its own "Terminated" OU, so I would have to assign a lot of policies on all of these individual OUs. I'd rather specify a top level "Deny Enable/Disable" template across the entire structure.

    Thanks for the feedback!

  • "edsaAccountIsDisabled" is the LDAPName. The friendly name is "Account is Disabled".

Reply Children