I work at a college for the next academic year all students under 18 must take a quick e-safety test before being given their windows logon (don't ask) so the accounts are created in a disabled state (userAccountControl property in AD). I have written the program to query the test results and it can enable users if I use a domain account.
But we want to give it out to a couple of users for manual overrides for various reasons so is it possible to create a service account that would only be able to modify the userAccountControl property?
Note: I'm a programmer not a network admin so please be gentle my AD knowledge is mostly for querying it
Best Answer
It's quite possible to do this. On your Student OU (assuming you have one) set a permission to modify it. To set it up right, in ADU&C, go to the OU object, right click and go to Properties
That object will now be able to set the account state for all user objects in that OU.
How we've handled this problem is by creating a web application with its own authentication (we use our SSO solution to manage access to it) that handles these requests from your exception-desiring technicians. The web-app then performs the actions with the account created above. The app acts as an auditable proxy for who is unlocking what.