|Subject:||Hiding user accounts|
|Posted by:||JayDee (dopami…@mail.com)|
|Date:||Thu, 23 Aug 2007|
I'd like to do the following for specific users:
1> Allow them to successfully apply user policies with GPUPDATE
2> Stop them from adding their ID to any groups, but they can add
other users to those groups (I know this is an odd request).
It seems like it is not possible to do these two things since a user
must be able to see his account in AD (have list rights) in order to
be able to accomplish #1 (or he gets a user not found error in the
EL), but if he can even see his ID with read-only rights, he can do #2
since that ability is only dependant on his permissions to the group
object, not the user object.
Does anyone not concur?