Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ADUC properties for user/group security tab with advanced features checked

Posted on 2010-11-08
9
Medium Priority
?
589 Views
Last Modified: 2012-05-10
In AD when selecting properties for a user or group with advanced features checked under view, this enables a security tab.  We have users in this tab that can change passwords and reset passwords.  Where are these users defined to have these permissions?  We have a desktop admins group but the user has been removed.  I am not sure if that is where they get the permissions from, just thought I would mention that.  I would like to remove a few of the users but they are in every user/group.

Running 2008 R2 domain/forest.
0
Comment
Question by:asrvwiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34086685
If you go into the advanced settings on the security tab it will show you where it is getting the inherited permissions from.

 
0
 
LVL 2

Expert Comment

by:rstaats
ID: 34086707
You can right-click on an OU and select delegate control.  That walks you through a wizard that allows you to grant access to other users in the maner that you're speaking of.
0
 

Author Comment

by:asrvwiz
ID: 34087074
KenMcF - I see where the inheritence is coming from.  Can you just remove the user?

rstaats - I ran the delegate control wizard and I did not have the option to remove any users, so I am not sure how the users were granted these privlidges or if it is an issue with rasing the domain/forest level to 2008 R2 from 2003.  I can not remember if we used the delegate control wizard but if we did I would think the users should be removed in the same manner that they were added????
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 27

Expert Comment

by:KenMcF
ID: 34087104
If it is a user account yes you can just remove from where the perms are set. But this will remove these permissions from everywhere below where there perms are set. Is this what you are looking to do?
0
 

Author Comment

by:asrvwiz
ID: 34087166
KenMcF- Two of the uers worked at the help desk and have moved to other positions.  I want to remove them so they no longer can reset/change passwords.  What do yo mean "but this will remove these permissions from everywhere below where there perms are set."
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34087456
can you send a screen shot of what you have.

From what you described it sounds like you are giving individual users this access, I prefer to do this by security groups. If you would remove one of these users from the security tab then that user will not have the access to OUs. Groups, Users below where the permissions where removed depending on what permissions it had.
0
 

Author Comment

by:asrvwiz
ID: 34087597
KenMcF - File attached  We have a group in there, not sure why the users are as well.  Just trying to clean this up a bit.
security-tab.docx
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 34087625
In my opinion I would remove all users and assign all your needed permissions to security groups. Then add all your users to these groups. Then when you need to remove or add users to this access you would just add or remove from the groups and not have to remove individual users. You can set the permissions through the delegation wizard.
0
 

Author Closing Comment

by:asrvwiz
ID: 34087776
Ken,

Thanks for all your help!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question