This article was previously published under Q327709
This article has been archived. It is offered "as is" and will no longer be updated.
In Windows 2000, account operators can manage their own accounts or the accounts of other account operators. In Windows NT 4.0, account operators cannot do this.
Windows 2000 does not protect members of the Account Operators group from modifying their own account or the accounts of other account operators.
Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Change the access control list (ACL) settings for the Account Operators group to prevent account operators from modifying group membership. To do this, follow these steps:
Log on as a member of the Administrators group.
Start the Active Directory Users and Computers snap-in (dsa.msc).
On the View menu, click Advanced Features.
Under the Builtin container for the domain, right-click the Account Operators object, and then click Properties.
Click the Security tab in Account Operators Properties, select the Account Operators group, and then click Remove.
Prevent account operators from modifying the attributes of other account operators. To do this, follow these steps:
In the Active Directory Users and Computers snap-in, right-click the container for the domain (for example, ACME.COM) , point to New, and then click Organizational Unit. Name the new organizational unit AcctOps.
Right-click the AcctOps organizational unit, and then click Properties.
In AcctOps Properties, click the Security tab, select the Account Operators group, and then click to select the Deny check box next to the Full Control permission.
If you want to apply the same restrictions to members of the Print Operators group, on the Security tab, select the Account Operators group, and then click to select the Deny check box next to the Full Control permission.
Move all users who are members of the Account Operators group into the new AcctOps organizational unit. To move a user, right-click the user object that you want, click Move, and then select the AcctOps organizational unit.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
The hotfix that is described in this article makes the following changes:
One time per hour, the Windows 2000 primary domain controller (PDC) compares the ACL for the user accounts that are in protected groups (for example, Administrators or Account Operators ) to the ACL for the AdminSDHolder object. If the ACLs do not match, the security settings for the AdminSDHolder object overwrite the ACL and turn off ACL inheritance for the user object. This prevents an unauthorized user from modifying user accounts if the accounts are moved to a container or organizational unit in which the unauthorized user has the right to modify user accounts.
When you remove a user from a protected group, the user account retains the settings that it received from the AdminSDHolder object, and you must manually change the security settings for that user.
Note: After you apply the hotfix, you must wait as long as one hour for the security descriptors to be updated for existing members of the Account Operators group.
For additional information about Windows 2000 security settings, click the following article number to view the article in the Microsoft Knowledge Base:
217050 Description of Default Security Settings in Windows 2000
For additional information about account operators access rights, click the following article number to view the article in the Microsoft Knowledge Base:
245174 Members of Account Operators Group Cannot Manage All User Accounts
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
For additional information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:
296861 Use QChain.exe to Install Multiple Hotfixes with Only One Reboot