We help IT Professionals succeed at work.

AD object permissions

Anyone knows how to prevent a Security Group to be a part of other Groups through AD Object permissions?  
Or any other possible way?
Comment
Watch Question

CERTIFIED EXPERT
Commented:
What are you trying to accomplish?

Author

Commented:
During the new Group creation process, all new groups are made "member of' the that one Group.  Where we can potentially get into some big trouble is when the members exposed to othe databases to all other users on the system.  Is it possile to structure AD in some way so that Group-A can *never* be included under the other group's tab?  I heard something can be done with AD Object permissions.
CERTIFIED EXPERT
Commented:
The only thing i can think of is through group policy where we deny access to a specific group. Not sure if it can be done where to exclude a security group from another security group. I will do more research on it. But I dont think its possible.
CERTIFIED EXPERT
Commented:
This is what I'm talking about in regards to deny security groups through gpo. Called "Scope Filtering"

http://technet.microsoft.com/en-us/library/cc786636(v=ws.10).aspx

Author

Commented:
Still looking into this.  Sorry for the delay.  Would that be possible to change from Global to Local security group?  That way they won't be able to add a local group into anywhere.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.