Link to home
Start Free TrialLog in
Avatar of asrvwiz
asrvwizFlag for United States of America

asked on

ADUC properties for user/group security tab with advanced features checked

In AD when selecting properties for a user or group with advanced features checked under view, this enables a security tab.  We have users in this tab that can change passwords and reset passwords.  Where are these users defined to have these permissions?  We have a desktop admins group but the user has been removed.  I am not sure if that is where they get the permissions from, just thought I would mention that.  I would like to remove a few of the users but they are in every user/group.

Running 2008 R2 domain/forest.
Avatar of KenMcF
KenMcF
Flag of United States of America image

If you go into the advanced settings on the security tab it will show you where it is getting the inherited permissions from.

 
You can right-click on an OU and select delegate control.  That walks you through a wizard that allows you to grant access to other users in the maner that you're speaking of.
Avatar of asrvwiz

ASKER

KenMcF - I see where the inheritence is coming from.  Can you just remove the user?

rstaats - I ran the delegate control wizard and I did not have the option to remove any users, so I am not sure how the users were granted these privlidges or if it is an issue with rasing the domain/forest level to 2008 R2 from 2003.  I can not remember if we used the delegate control wizard but if we did I would think the users should be removed in the same manner that they were added????
If it is a user account yes you can just remove from where the perms are set. But this will remove these permissions from everywhere below where there perms are set. Is this what you are looking to do?
Avatar of asrvwiz

ASKER

KenMcF- Two of the uers worked at the help desk and have moved to other positions.  I want to remove them so they no longer can reset/change passwords.  What do yo mean "but this will remove these permissions from everywhere below where there perms are set."
can you send a screen shot of what you have.

From what you described it sounds like you are giving individual users this access, I prefer to do this by security groups. If you would remove one of these users from the security tab then that user will not have the access to OUs. Groups, Users below where the permissions where removed depending on what permissions it had.
Avatar of asrvwiz

ASKER

KenMcF - File attached  We have a group in there, not sure why the users are as well.  Just trying to clean this up a bit.
security-tab.docx
ASKER CERTIFIED SOLUTION
Avatar of KenMcF
KenMcF
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of asrvwiz

ASKER

Ken,

Thanks for all your help!