Add a new user and add user to a group in AD

1) what is the name of the permissions in AD would allow another user to create a new domain user? And how can you run a list of which users can create new users, and "where" in the domain they can create them?

2) , what permission in AD would allow a user to add another user to another security group? I've just right clicked a group in ADUC and gone on security, but I can see "add self" to group, but not add other.

So a) how can I see what groups users can add themselves to, and
b) what groups users can add others to.

3) Is there anyway to see which users created which groups/when, and which users created which users/when?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
Use Delegation wizard in ADUC.

This will walk you through the steps to create this type of permission
 Here is a good link http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


To see these permission you need to first change your view in ADUC to Advance.
1:Open ADUC click on view in the toolbar and select advance.  This will give you the security tab.
2: right click the Domain level or OU Level and select security tab.
3: Select the User or Group Object you want to edit.
4: Click on Advanced
5: Select the user and select edit
6: On the Object tab these are all the DACLS setting.

To your third question you will need to turn on Audit Directory Service under Computer Configuration > Policies > Windows Setting > Security Settings > Local Policies > Audit Policy > Audit directory service access {enable}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks.

Re 2, there are many rows on each ACL, which is the specific permission to add group additions. And if you have 500 groups, do you have to do this 500 times manually, or is there a way to report out for all 500 groups who can add members to them.
0
yo_beeDirector of Information TechnologyCommented:
You do it at the domain level and let it propergate.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

pma111Author Commented:
But I think you can delegate at lower levels, so for ultimate assurance, i.e. a full list of "who can do what", just checking at the domain wouldnt suffice, would it?
0
yo_beeDirector of Information TechnologyCommented:
Not sure what you are asking.
Do you mean a full list of users or a full list of acl.
0
pma111Author Commented:
full list of acl
0
yo_beeDirector of Information TechnologyCommented:
Here are some screenshots of Delegation Control Wizard;
These settings can be applied to various levels depending on how you want to control ACL in AD.

I you apply it to the Domain level then that user or group will have those delegated rights to all OU's
If you want to just allow the user or group to have rights to the certain OU then you apply it to just the OU.
My example is targeting an OU.
Step 1:
Right click the OU and select Delegate Control

ACL1
DCW
Step 2: Follow the wizard:

Next

DCW1
Click ADD and select the user or group that you want to give rights to.

DCW2
Check (Create, Delete and Manage Users Account)

DCW3
DCW4
After you are finished you can check the security settins by Righting the OU and select Properties. Then click on the Security Tab and select Advance.
Locate the newly delegated user or group and notice that there are two entries.
One that just has Create and Delete User Objects)

ACL2
The other that says special.
This gives you full rights over the User Object that was created.

ACL3
You can play around with this as you can see that there are a plethora of settings.
0
pma111Author Commented:
Many thanks, any tools to see what has been delegated, or is that a more complex process?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.