Solved

Add a new user and add user to a group in AD

Posted on 2012-04-03
8
217 Views
Last Modified: 2012-04-19
1) what is the name of the permissions in AD would allow another user to create a new domain user? And how can you run a list of which users can create new users, and "where" in the domain they can create them?

2) , what permission in AD would allow a user to add another user to another security group? I've just right clicked a group in ADUC and gone on security, but I can see "add self" to group, but not add other.

So a) how can I see what groups users can add themselves to, and
b) what groups users can add others to.

3) Is there anyway to see which users created which groups/when, and which users created which users/when?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 23

Accepted Solution

by:
yo_bee earned 500 total points
ID: 37800677
Use Delegation wizard in ADUC.

This will walk you through the steps to create this type of permission
 Here is a good link http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


To see these permission you need to first change your view in ADUC to Advance.
1:Open ADUC click on view in the toolbar and select advance.  This will give you the security tab.
2: right click the Domain level or OU Level and select security tab.
3: Select the User or Group Object you want to edit.
4: Click on Advanced
5: Select the user and select edit
6: On the Object tab these are all the DACLS setting.

To your third question you will need to turn on Audit Directory Service under Computer Configuration > Policies > Windows Setting > Security Settings > Local Policies > Audit Policy > Audit directory service access {enable}
0
 
LVL 3

Author Comment

by:pma111
ID: 37801119
Thanks.

Re 2, there are many rows on each ACL, which is the specific permission to add group additions. And if you have 500 groups, do you have to do this 500 times manually, or is there a way to report out for all 500 groups who can add members to them.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37801982
You do it at the domain level and let it propergate.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Author Comment

by:pma111
ID: 37804948
But I think you can delegate at lower levels, so for ultimate assurance, i.e. a full list of "who can do what", just checking at the domain wouldnt suffice, would it?
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37805421
Not sure what you are asking.
Do you mean a full list of users or a full list of acl.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842190
full list of acl
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37842721
Here are some screenshots of Delegation Control Wizard;
These settings can be applied to various levels depending on how you want to control ACL in AD.

I you apply it to the Domain level then that user or group will have those delegated rights to all OU's
If you want to just allow the user or group to have rights to the certain OU then you apply it to just the OU.
My example is targeting an OU.
Step 1:
Right click the OU and select Delegate Control

ACL1
DCW
Step 2: Follow the wizard:

Next

DCW1
Click ADD and select the user or group that you want to give rights to.

DCW2
Check (Create, Delete and Manage Users Account)

DCW3
DCW4
After you are finished you can check the security settins by Righting the OU and select Properties. Then click on the Security Tab and select Advance.
Locate the newly delegated user or group and notice that there are two entries.
One that just has Create and Delete User Objects)

ACL2
The other that says special.
This gives you full rights over the User Object that was created.

ACL3
You can play around with this as you can see that there are a plethora of settings.
0
 
LVL 3

Author Comment

by:pma111
ID: 37854742
Many thanks, any tools to see what has been delegated, or is that a more complex process?
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question