Delegation to a group must be removed
Goodmorning,
We have delegated a group to join computers to domain but, now, we need to remove that permission from every object.
I've tryed to deny writing permissions on that OU, but i see that they still have permissions to join old computer names to domain (wich were delegated to them.
Maybe with a script to remove this group from every computer object ? Exsists? Or there is something about permissions that could allow me to.. deny them? :)
We have delegated a group to join computers to domain but, now, we need to remove that permission from every object.
I've tryed to deny writing permissions on that OU, but i see that they still have permissions to join old computer names to domain (wich were delegated to them.
Maybe with a script to remove this group from every computer object ? Exsists? Or there is something about permissions that could allow me to.. deny them? :)
ASKER
Sorry, I didn't mentioning that, until now, we gave that kind of permission while adding every single computer to the domain, granting the permission to add workstations to the domain to that group.
Now, if i check security permissions of a computer name in AD, I see that group allowed to write on every object. I've tryied to put a "Deny" on the OU, but i've find out that it doesn't work, as the security on the single object "wins" on the inherited one.
Now, if i check security permissions of a computer name in AD, I see that group allowed to write on every object. I've tryied to put a "Deny" on the OU, but i've find out that it doesn't work, as the security on the single object "wins" on the inherited one.
ASKER
It seems that this question is more difficult of what i've expected. Points raised to 250.
OK, as I understood you delegated permissions for one group on OU, right? And now you want to remove that group?
If so, open your AD U&C console, navigate in menu to "View" and select "Advanced Features" option. Now, select proper OU and click right mouse button on it and choose "Properties". Select "Security" tab and locate that group which you want to remove. Select the group and click on "Remove" button then "OK". Now you shouldn't see that group on computer object's security tab.
If so, open your AD U&C console, navigate in menu to "View" and select "Advanced Features" option. Now, select proper OU and click right mouse button on it and choose "Properties". Select "Security" tab and locate that group which you want to remove. Select the group and click on "Remove" button then "OK". Now you shouldn't see that group on computer object's security tab.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment - "Add workstations to the domain"
Thanks
Mike