Solved

Need to remove Create Users from OU for security group

Posted on 2012-04-11
7
277 Views
Last Modified: 2012-04-16
hello,

     i've tried with the delegation wizard and specific ACLs on the OU, with no luck.  I need to give a security group permissions to manage all aspects of user accounts in an OU, but take away the ability to create new users in that OU - that should reside with our help desk.  i can't figure out a way to do it.  anyone know how?
0
Comment
Question by:JodyBear
  • 4
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37832970
Can't test right now but if you right click the OU then go to the security tab and then advanced, if you select that group and give them "Deny" rights for "create user objects"   does that work.

Thanks

Mike
0
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37832995
Following mkline71, you can def. do that thru the Delegation wizard in ADUC on the OU you want to restrict. It just takes a little poking around as there are potentially lots of settings, but a Deny Create should be easy to obtain in the Wizard.
0
 

Author Comment

by:JodyBear
ID: 37833191
i've tried deny create objects when applying the special permissions of OU objects, i've tried denying create child objects for user objects, etc - i can't seem to find a way to deny creation without losing all ability of that group to manage any other attributes.  can't seem to find a way.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 37833211
Have you tried getting more granular and just deny "create user objects"  not just objects,  (see screenshot)

screenshot ACL
Thanks

Mike
0
 

Author Comment

by:JodyBear
ID: 37833265
yes, i tried that with no luck.  still trying different combinations.
0
 

Assisted Solution

by:JodyBear
JodyBear earned 0 total points
ID: 37833562
ok.  apologies.  i failed to include the user in that security group :-)

if you use the delegation wizard to create, mng etc for the account, and then goto the security tab for the OU - leave the full control ACL for the group alone - and edit the create/delete object entry to deny as shown above in mkline71 entry, that will allow full access but disable creation/deletion of user objects.

thanks everyone.
0
 

Author Closing Comment

by:JodyBear
ID: 37850334
i included my answer as well as it was even more specific in the instructions of how to do it.  all points should go to him.  thank you.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question