Members of Account Operators Group Cannot Manage All User Accounts

This article was previously published under Q245174
This article has been archived. It is offered "as is" and will no longer be updated.
When you attempt to manage certain user accounts from a computer running Microsoft Windows NT Server 4.0 and you are a member of the Account Operators group for a domain, you may receive an 'Access Denied' error message.
This behavior can occur if the user accounts that you are trying to manage are members of a restricted group.
To work around this behavior, find out which groups the user accounts belong to, and ask your system administrator about modifying the security rights.
This behavior is by design.
More information
By default, members of the Account Operators group cannot manage user accounts that belong to any of the following groups:

  • Account Operators (local)
  • Administrators (local)
  • Backup Operators (local)
  • Print Operators (local)
  • Server Operators (local)
  • Domain Admins (global)
If one of the user accounts does not belong to any of the listed groups, check whether it is a member of some global group that is in turn a member of one of the five restricted local groups. If this is the case, you still cannot manage that user account.

For more information about the restrictions, see Chapter 2, 'Working With User and Group Accounts', in 'Concepts and Planning', a book that is part of the Microsoft Windows NT Server 4.0 documentation package.
modify rights

Article ID: 245174 - Last Review: 10/26/2013 04:48:00 - Revision: 2.0

Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbprb KB245174