How do I delegate the ability to enable or disable computer accounts? (NETIQKB73274)

  • 7773274
  • 17-Nov-2011
  • 17-Nov-2011

Environment

Directory & Resource Administrator 8.x

Situation

How do I delegate the ability to enable or disable computer accounts?

What power includes the ability to enable or disable computer accounts?

What role includes the ability to enable or disable computer accounts?

Resolution

There isn't a built-in power specifically for the Enable/Disable of a computer object.  The only built-in power that covers that also covers pretty much every thing else you want to do to a computer: "Modify All Computer Properties".  Likewise, this power is picked up in the built-in power "Create Computer and Modify All Properties".  There are also three built-in Roles that include the 'modify all' power:  "Computer Administration", "Create and Delete Computer Accounts" and "Manage Computer Properties".

Delegating any of these powers or roles will allow your Admins to go into the properties of a computer and either enable or disable it.

You can also create a custom power to cover just the Enable/Disable attribute.  If you do so, you will want to create a power that has the action to "Sets information for the specified computer" and map it to the "AccountDisabled" attribute field.  That way, you can just delegate this sole power over computer objects and your Admins can enable or disable them. 

Additional Information

Formerly known as NETIQKB73274

Feedback service temporarily unavailable. For content questions or problems, please contact Support.