Solved

Add a new user and add user to a group in AD

Posted on 2012-04-03
8
214 Views
Last Modified: 2012-04-19
1) what is the name of the permissions in AD would allow another user to create a new domain user? And how can you run a list of which users can create new users, and "where" in the domain they can create them?

2) , what permission in AD would allow a user to add another user to another security group? I've just right clicked a group in ADUC and gone on security, but I can see "add self" to group, but not add other.

So a) how can I see what groups users can add themselves to, and
b) what groups users can add others to.

3) Is there anyway to see which users created which groups/when, and which users created which users/when?
0
Comment
Question by:pma111
  • 4
  • 4
8 Comments
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 37800677
Use Delegation wizard in ADUC.

This will walk you through the steps to create this type of permission
 Here is a good link http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


To see these permission you need to first change your view in ADUC to Advance.
1:Open ADUC click on view in the toolbar and select advance.  This will give you the security tab.
2: right click the Domain level or OU Level and select security tab.
3: Select the User or Group Object you want to edit.
4: Click on Advanced
5: Select the user and select edit
6: On the Object tab these are all the DACLS setting.

To your third question you will need to turn on Audit Directory Service under Computer Configuration > Policies > Windows Setting > Security Settings > Local Policies > Audit Policy > Audit directory service access {enable}
0
 
LVL 3

Author Comment

by:pma111
ID: 37801119
Thanks.

Re 2, there are many rows on each ACL, which is the specific permission to add group additions. And if you have 500 groups, do you have to do this 500 times manually, or is there a way to report out for all 500 groups who can add members to them.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37801982
You do it at the domain level and let it propergate.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 3

Author Comment

by:pma111
ID: 37804948
But I think you can delegate at lower levels, so for ultimate assurance, i.e. a full list of "who can do what", just checking at the domain wouldnt suffice, would it?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37805421
Not sure what you are asking.
Do you mean a full list of users or a full list of acl.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842190
full list of acl
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37842721
Here are some screenshots of Delegation Control Wizard;
These settings can be applied to various levels depending on how you want to control ACL in AD.

I you apply it to the Domain level then that user or group will have those delegated rights to all OU's
If you want to just allow the user or group to have rights to the certain OU then you apply it to just the OU.
My example is targeting an OU.
Step 1:
Right click the OU and select Delegate Control

ACL1
DCW
Step 2: Follow the wizard:

Next

DCW1
Click ADD and select the user or group that you want to give rights to.

DCW2
Check (Create, Delete and Manage Users Account)

DCW3
DCW4
After you are finished you can check the security settins by Righting the OU and select Properties. Then click on the Security Tab and select Advance.
Locate the newly delegated user or group and notice that there are two entries.
One that just has Create and Delete User Objects)

ACL2
The other that says special.
This gives you full rights over the User Object that was created.

ACL3
You can play around with this as you can see that there are a plethora of settings.
0
 
LVL 3

Author Comment

by:pma111
ID: 37854742
Many thanks, any tools to see what has been delegated, or is that a more complex process?
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory UPN Suffix Question 5 39
How can i confirm Password policy is working? 8 15
Domian name change 12 23
Antivirus in server 3 18
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question