Adaxes

How can I prevent Help Desk from being able to enable accounts?

0 votes

We have a customized the help desk security role to allow only resetting passwords and unlocking accounts. We don't want them to be able to enable accounts that are disabled. I don't see an option for denying write of the property "Account is disabled" or "Useraccountcontrol" or "ms-ds-user-account-disabled". Is it possible to prevent the user from writing to certain "account options"? It seems that its an all or nothing setting.

by (2.3k points)

1 Answer

+1 vote
by (294k points)
selected by
Best answer

Hello Mark,

Unfortunately, it is not possible to disallow users to modify only specific Account Options flags as it is a single property.

As a solution, you can use a Business Rule triggering Before enabling a user account that will cancel the operation if it is performed by a Help Desk user. The rule will look like the following: image.png

0

Thanks! That will work!

by (2.3k points)

Related questions

0 votes
1 answer
Can I prevent select accounts with expired passwords from being able to change it in the web interface?

We have some accounts that we would like to prevent from changing their password on login when it is expired. This is because we have saml setup on individual interface pages ... of a loophole for us as we require dual factor and use saml to accomplish this.

asked Oct 26, 2021 by mark.it.admin (2.3k points)
0 votes
1 answer
Prevent users from being able to edit any AD Group

Hi , how can i prevent users from being able to edit any group . As you can see users are not in read only mode , they can click on group and edit that. how can i prevent from one user doing this?

asked Dec 5 by vagifazari (450 points)
0 votes
1 answer
How can I prevent this from causing an external loop?

Any advice would be greatly appreciated.

asked Feb 9, 2023 by Homelander90 (350 points)
0 votes
1 answer
Can I allow ADAxes Webf form users to choose user accounts from more than one OU

I have setup a form to allow HR to edit some details on AD accounts. Currently the scope is limted to only AD object under one pre-chosen OU. The other option is an ldap filter. How can I allow this action to display user accounts from two seperate OU

asked Nov 18, 2019 by ice-dog (170 points)
0 votes
1 answer
Prevent user from being added to certain groups

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call ... Adaxes users from adding users from Domain X to any groups outside of Domain X. Thanks

asked Jan 29, 2013 by jiambor (1.2k points)
3,589 questions
3,278 answers
8,303 comments
548,130 users