• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

Active Directory groups permissions quesion

Is there a way to prevent one Security Group-A to be added to any other Groups? During the new Group creation process, all new groups are made "member of' the that Group-A.  Where we can potentially get into some big trouble is when the members exposed to othe databases to all other users on the system.  Is it possile to structure AD in some way so that Group-A can *never* be included under the other group's tab?
0
Tiras25
Asked:
Tiras25
  • 2
2 Solutions
 
hirenvmajithiyaManager (System Administration)Commented:
As far as I know, you cannot prevent showing the group you created, because of its attribute as group.
0
 
Tiras25Author Commented:
Is there any way to prevent the Group to be added as a member of other Group?
Don’t really want to hide it, but my gut says there is something to prevent it from being part of another group.  Maybe through AD Object permissions?
0
 
Tiras25Author Commented:
Hmm, I noticed EE slow down a lot.  Do you think its on the way down?
0
 
Columbia EnergyEngineers of All TypesCommented:
The short answer to the question is no.

Active Directory does not really play nice when it comes to modifying its object permissions.  In my experience with such, AD just resets the permissions back to default.  While I'm sure there's a way to achieve what you seek, it's likely not recommended.

With proper Active Directory structure and administrative controls, you should not need to prevent one group from being placed into another.  If Group-A is encompassing of all users on the domain, consider changing that practice.  One should always use a security model that is least permissive.  This may yield a ton of security groups, but that headache is worth having as opposed to someone with access to stuff they shouldn't.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now