The title kinda says it all, but I wonder if anyone has been able to apply a group in AD that can disable and enable accounts versus making that account a domain admin which is bad…?
This is needed for a new service account to be used in the LDAP plugin for the explicit purpose of enabling and disabling AD accounts.