Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need to remove Create Users from OU for security group

Posted on 2012-04-11
7
Medium Priority
?
284 Views
Last Modified: 2012-04-16
hello,

     i've tried with the delegation wizard and specific ACLs on the OU, with no luck.  I need to give a security group permissions to manage all aspects of user accounts in an OU, but take away the ability to create new users in that OU - that should reside with our help desk.  i can't figure out a way to do it.  anyone know how?
0
Comment
Question by:JodyBear
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37832970
Can't test right now but if you right click the OU then go to the security tab and then advanced, if you select that group and give them "Deny" rights for "create user objects"   does that work.

Thanks

Mike
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37832995
Following mkline71, you can def. do that thru the Delegation wizard in ADUC on the OU you want to restrict. It just takes a little poking around as there are potentially lots of settings, but a Deny Create should be easy to obtain in the Wizard.
0
 

Author Comment

by:JodyBear
ID: 37833191
i've tried deny create objects when applying the special permissions of OU objects, i've tried denying create child objects for user objects, etc - i can't seem to find a way to deny creation without losing all ability of that group to manage any other attributes.  can't seem to find a way.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 37833211
Have you tried getting more granular and just deny "create user objects"  not just objects,  (see screenshot)

screenshot ACL
Thanks

Mike
0
 

Author Comment

by:JodyBear
ID: 37833265
yes, i tried that with no luck.  still trying different combinations.
0
 

Assisted Solution

by:JodyBear
JodyBear earned 0 total points
ID: 37833562
ok.  apologies.  i failed to include the user in that security group :-)

if you use the delegation wizard to create, mng etc for the account, and then goto the security tab for the OU - leave the full control ACL for the group alone - and edit the create/delete object entry to deny as shown above in mkline71 entry, that will allow full access but disable creation/deletion of user objects.

thanks everyone.
0
 

Author Closing Comment

by:JodyBear
ID: 37850334
i included my answer as well as it was even more specific in the instructions of how to do it.  all points should go to him.  thank you.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question