Solved

Need to remove Create Users from OU for security group

Posted on 2012-04-11
7
278 Views
Last Modified: 2012-04-16
hello,

     i've tried with the delegation wizard and specific ACLs on the OU, with no luck.  I need to give a security group permissions to manage all aspects of user accounts in an OU, but take away the ability to create new users in that OU - that should reside with our help desk.  i can't figure out a way to do it.  anyone know how?
0
Comment
Question by:JodyBear
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37832970
Can't test right now but if you right click the OU then go to the security tab and then advanced, if you select that group and give them "Deny" rights for "create user objects"   does that work.

Thanks

Mike
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37832995
Following mkline71, you can def. do that thru the Delegation wizard in ADUC on the OU you want to restrict. It just takes a little poking around as there are potentially lots of settings, but a Deny Create should be easy to obtain in the Wizard.
0
 

Author Comment

by:JodyBear
ID: 37833191
i've tried deny create objects when applying the special permissions of OU objects, i've tried denying create child objects for user objects, etc - i can't seem to find a way to deny creation without losing all ability of that group to manage any other attributes.  can't seem to find a way.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 37833211
Have you tried getting more granular and just deny "create user objects"  not just objects,  (see screenshot)

screenshot ACL
Thanks

Mike
0
 

Author Comment

by:JodyBear
ID: 37833265
yes, i tried that with no luck.  still trying different combinations.
0
 

Assisted Solution

by:JodyBear
JodyBear earned 0 total points
ID: 37833562
ok.  apologies.  i failed to include the user in that security group :-)

if you use the delegation wizard to create, mng etc for the account, and then goto the security tab for the OU - leave the full control ACL for the group alone - and edit the create/delete object entry to deny as shown above in mkline71 entry, that will allow full access but disable creation/deletion of user objects.

thanks everyone.
0
 

Author Closing Comment

by:JodyBear
ID: 37850334
i included my answer as well as it was even more specific in the instructions of how to do it.  all points should go to him.  thank you.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question