Solved

Add a new user and add user to a group in AD

Posted on 2012-04-03
8
213 Views
Last Modified: 2012-04-19
1) what is the name of the permissions in AD would allow another user to create a new domain user? And how can you run a list of which users can create new users, and "where" in the domain they can create them?

2) , what permission in AD would allow a user to add another user to another security group? I've just right clicked a group in ADUC and gone on security, but I can see "add self" to group, but not add other.

So a) how can I see what groups users can add themselves to, and
b) what groups users can add others to.

3) Is there anyway to see which users created which groups/when, and which users created which users/when?
0
Comment
Question by:pma111
  • 4
  • 4
8 Comments
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 37800677
Use Delegation wizard in ADUC.

This will walk you through the steps to create this type of permission
 Here is a good link http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


To see these permission you need to first change your view in ADUC to Advance.
1:Open ADUC click on view in the toolbar and select advance.  This will give you the security tab.
2: right click the Domain level or OU Level and select security tab.
3: Select the User or Group Object you want to edit.
4: Click on Advanced
5: Select the user and select edit
6: On the Object tab these are all the DACLS setting.

To your third question you will need to turn on Audit Directory Service under Computer Configuration > Policies > Windows Setting > Security Settings > Local Policies > Audit Policy > Audit directory service access {enable}
0
 
LVL 3

Author Comment

by:pma111
ID: 37801119
Thanks.

Re 2, there are many rows on each ACL, which is the specific permission to add group additions. And if you have 500 groups, do you have to do this 500 times manually, or is there a way to report out for all 500 groups who can add members to them.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37801982
You do it at the domain level and let it propergate.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 3

Author Comment

by:pma111
ID: 37804948
But I think you can delegate at lower levels, so for ultimate assurance, i.e. a full list of "who can do what", just checking at the domain wouldnt suffice, would it?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37805421
Not sure what you are asking.
Do you mean a full list of users or a full list of acl.
0
 
LVL 3

Author Comment

by:pma111
ID: 37842190
full list of acl
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 37842721
Here are some screenshots of Delegation Control Wizard;
These settings can be applied to various levels depending on how you want to control ACL in AD.

I you apply it to the Domain level then that user or group will have those delegated rights to all OU's
If you want to just allow the user or group to have rights to the certain OU then you apply it to just the OU.
My example is targeting an OU.
Step 1:
Right click the OU and select Delegate Control

ACL1
DCW
Step 2: Follow the wizard:

Next

DCW1
Click ADD and select the user or group that you want to give rights to.

DCW2
Check (Create, Delete and Manage Users Account)

DCW3
DCW4
After you are finished you can check the security settins by Righting the OU and select Properties. Then click on the Security Tab and select Advance.
Locate the newly delegated user or group and notice that there are two entries.
One that just has Create and Delete User Objects)

ACL2
The other that says special.
This gives you full rights over the User Object that was created.

ACL3
You can play around with this as you can see that there are a plethora of settings.
0
 
LVL 3

Author Comment

by:pma111
ID: 37854742
Many thanks, any tools to see what has been delegated, or is that a more complex process?
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question