Solved

Add a new user and add user to a group in AD

Posted on 2012-04-03
8
211 Views
Last Modified: 2012-04-19
1) what is the name of the permissions in AD would allow another user to create a new domain user? And how can you run a list of which users can create new users, and "where" in the domain they can create them?

2) , what permission in AD would allow a user to add another user to another security group? I've just right clicked a group in ADUC and gone on security, but I can see "add self" to group, but not add other.

So a) how can I see what groups users can add themselves to, and
b) what groups users can add others to.

3) Is there anyway to see which users created which groups/when, and which users created which users/when?
0
Comment
Question by:pma111
  • 4
  • 4
8 Comments
 
LVL 21

Accepted Solution

by:
yo_bee earned 500 total points
Comment Utility
Use Delegation wizard in ADUC.

This will walk you through the steps to create this type of permission
 Here is a good link http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


To see these permission you need to first change your view in ADUC to Advance.
1:Open ADUC click on view in the toolbar and select advance.  This will give you the security tab.
2: right click the Domain level or OU Level and select security tab.
3: Select the User or Group Object you want to edit.
4: Click on Advanced
5: Select the user and select edit
6: On the Object tab these are all the DACLS setting.

To your third question you will need to turn on Audit Directory Service under Computer Configuration > Policies > Windows Setting > Security Settings > Local Policies > Audit Policy > Audit directory service access {enable}
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks.

Re 2, there are many rows on each ACL, which is the specific permission to add group additions. And if you have 500 groups, do you have to do this 500 times manually, or is there a way to report out for all 500 groups who can add members to them.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
You do it at the domain level and let it propergate.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
But I think you can delegate at lower levels, so for ultimate assurance, i.e. a full list of "who can do what", just checking at the domain wouldnt suffice, would it?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Not sure what you are asking.
Do you mean a full list of users or a full list of acl.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
full list of acl
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Here are some screenshots of Delegation Control Wizard;
These settings can be applied to various levels depending on how you want to control ACL in AD.

I you apply it to the Domain level then that user or group will have those delegated rights to all OU's
If you want to just allow the user or group to have rights to the certain OU then you apply it to just the OU.
My example is targeting an OU.
Step 1:
Right click the OU and select Delegate Control

ACL1
DCW
Step 2: Follow the wizard:

Next

DCW1
Click ADD and select the user or group that you want to give rights to.

DCW2
Check (Create, Delete and Manage Users Account)

DCW3
DCW4
After you are finished you can check the security settins by Righting the OU and select Properties. Then click on the Security Tab and select Advance.
Locate the newly delegated user or group and notice that there are two entries.
One that just has Create and Delete User Objects)

ACL2
The other that says special.
This gives you full rights over the User Object that was created.

ACL3
You can play around with this as you can see that there are a plethora of settings.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Many thanks, any tools to see what has been delegated, or is that a more complex process?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now