In a Windows Server 2003 domain, users who are NOT members of the following groups can view their own user account, and any account the have been granted permission to create:
Domain Administrators Account Operators RAS Servers group Built-in Administrators Enterprise AdministratorsIf a user does NOT have read permissions on the userAccountControl attribute, any disabled account returned by the Object Picker in Active Directory Users and Computers will appear as if they are enabled.
To resolve this issue, grant Read access on the userAccountControl attribute:
1. On a Windows Server 2003 domain controller, open a CMD.EXE window.
2. using DSACLS, installed from the Support Tools folder of the CD-ROM, type the following command, and press Enter:
dsacls "\[ou=Organization Unit,\]dc=DOMAIN,dc=COM" /I:S /G "domain users":rp;userAccountControl;user
NOTE: Case is important.
If you wanted to grant Read access to the userAccountControl attribute in the West Coast OU of JSIINC.COM:
dsacls "ou=West Coast,dc=JSIINC,dc=COM" /I:S /G "domain users":rp;userAccountControl;user
If you wanted to grant Read access to the userAccountControl attribute in JSIINC.COM domain:
dsacls "dc=JSIINC,dc=COM" /I:S /G "domain users":rp;userAccountControl;user
