Solved

Active Directory What Rights does a User need to create  users in AD

Posted on 2014-04-11
3
606 Views
Last Modified: 2014-04-25
We run AD 2008 R2.  I thought only Domain admins had any access rights to pull up ADUC or create and delete users.  We have a user not apart of our Domain admins group but he was able to access ADCU and create a new user. Any ideas how I can find out if hes been delegated access for his OU or what rights groups hes part of that could grant him these permissions?

Thanks
0
Comment
Question by:Twhite0909
3 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39994624
You need the create user permission.
Here is a link of how to view delegated permissions:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39995023
Simple...

1)  If you know who the user is, and you know what account he created, go to that OU in Active Directory
2)  Right click on it and select Properties
3)  Look on the security tab for this person's name
4)  If you find it, modify the rights so he cannot perform these actions again
5)  If you don't find his name, look for groups on the Security Tab and if there are groups check to see if he is apart of them; if he is, remove him.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39995762
A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:


1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

Note instead of group you can select user and assign the permission on domain or OU as per requirement.

More see below links
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now