JSI Tip 8285. Disabled user accounts appear as enabled in Active Directory Users and Computers if a user does NOT have read access to the userAccountControl attribute?

In a Windows Server 2003 domain, users who are NOT members of the following groups can view their own user account, and any account the have been granted permission to create:

Domain AdministratorsAccount OperatorsRAS Servers groupBuilt-in AdministratorsEnterprise Administrators

If a user does NOT have read permissions on the userAccountControl attribute, any disabled account returned by the Object Picker in Active Directory Users and Computers will appear as if they are enabled.

To resolve this issue, grant Read access on the userAccountControl attribute:

1. On a Windows Server 2003 domain controller, open a CMD.EXE window.

2. using DSACLS, installed from the Support Tools folder of the CD-ROM, type the following command, and press Enter:

dsacls "[ou=Organization Unit,]dc=DOMAIN,dc=COM" /I:S /G "domain users":rp;userAccountControl;user

NOTE: Case is important.

If you wanted to grant Read access to the userAccountControl attribute in the West Coast OU of JSIINC.COM:

dsacls "ou=West Coast,dc=JSIINC,dc=COM" /I:S /G "domain users":rp;userAccountControl;user

If you wanted to grant Read access to the userAccountControl attribute in JSIINC.COM domain:

dsacls "dc=JSIINC,dc=COM" /I:S /G "domain users":rp;userAccountControl;user

NOTE: See How do I use the Find dialog in Windows Server 2003 Active Directory Users and Computers to search for objects?