Solved

Need to remove Create Users from OU for security group

Posted on 2012-04-11
7
281 Views
Last Modified: 2012-04-16
hello,

     i've tried with the delegation wizard and specific ACLs on the OU, with no luck.  I need to give a security group permissions to manage all aspects of user accounts in an OU, but take away the ability to create new users in that OU - that should reside with our help desk.  i can't figure out a way to do it.  anyone know how?
0
Comment
Question by:JodyBear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37832970
Can't test right now but if you right click the OU then go to the security tab and then advanced, if you select that group and give them "Deny" rights for "create user objects"   does that work.

Thanks

Mike
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37832995
Following mkline71, you can def. do that thru the Delegation wizard in ADUC on the OU you want to restrict. It just takes a little poking around as there are potentially lots of settings, but a Deny Create should be easy to obtain in the Wizard.
0
 

Author Comment

by:JodyBear
ID: 37833191
i've tried deny create objects when applying the special permissions of OU objects, i've tried denying create child objects for user objects, etc - i can't seem to find a way to deny creation without losing all ability of that group to manage any other attributes.  can't seem to find a way.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 37833211
Have you tried getting more granular and just deny "create user objects"  not just objects,  (see screenshot)

screenshot ACL
Thanks

Mike
0
 

Author Comment

by:JodyBear
ID: 37833265
yes, i tried that with no luck.  still trying different combinations.
0
 

Assisted Solution

by:JodyBear
JodyBear earned 0 total points
ID: 37833562
ok.  apologies.  i failed to include the user in that security group :-)

if you use the delegation wizard to create, mng etc for the account, and then goto the security tab for the OU - leave the full control ACL for the group alone - and edit the create/delete object entry to deny as shown above in mkline71 entry, that will allow full access but disable creation/deletion of user objects.

thanks everyone.
0
 

Author Closing Comment

by:JodyBear
ID: 37850334
i included my answer as well as it was even more specific in the instructions of how to do it.  all points should go to him.  thank you.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question