[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Need to remove Create Users from OU for security group

hello,

     i've tried with the delegation wizard and specific ACLs on the OU, with no luck.  I need to give a security group permissions to manage all aspects of user accounts in an OU, but take away the ability to create new users in that OU - that should reside with our help desk.  i can't figure out a way to do it.  anyone know how?
0
JodyBear
Asked:
JodyBear
  • 4
  • 2
2 Solutions
 
Mike KlineCommented:
Can't test right now but if you right click the OU then go to the security tab and then advanced, if you select that group and give them "Deny" rights for "create user objects"   does that work.

Thanks

Mike
0
 
BelushiLomaxCommented:
Following mkline71, you can def. do that thru the Delegation wizard in ADUC on the OU you want to restrict. It just takes a little poking around as there are potentially lots of settings, but a Deny Create should be easy to obtain in the Wizard.
0
 
JodyBearAuthor Commented:
i've tried deny create objects when applying the special permissions of OU objects, i've tried denying create child objects for user objects, etc - i can't seem to find a way to deny creation without losing all ability of that group to manage any other attributes.  can't seem to find a way.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Mike KlineCommented:
Have you tried getting more granular and just deny "create user objects"  not just objects,  (see screenshot)

screenshot ACL
Thanks

Mike
0
 
JodyBearAuthor Commented:
yes, i tried that with no luck.  still trying different combinations.
0
 
JodyBearAuthor Commented:
ok.  apologies.  i failed to include the user in that security group :-)

if you use the delegation wizard to create, mng etc for the account, and then goto the security tab for the OU - leave the full control ACL for the group alone - and edit the create/delete object entry to deny as shown above in mkline71 entry, that will allow full access but disable creation/deletion of user objects.

thanks everyone.
0
 
JodyBearAuthor Commented:
i included my answer as well as it was even more specific in the instructions of how to do it.  all points should go to him.  thank you.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now