Solved

Active Directory What Rights does a User need to create  users in AD

Posted on 2014-04-11
3
716 Views
Last Modified: 2014-04-25
We run AD 2008 R2.  I thought only Domain admins had any access rights to pull up ADUC or create and delete users.  We have a user not apart of our Domain admins group but he was able to access ADCU and create a new user. Any ideas how I can find out if hes been delegated access for his OU or what rights groups hes part of that could grant him these permissions?

Thanks
0
Comment
Question by:Twhite0909
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39994624
You need the create user permission.
Here is a link of how to view delegated permissions:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39995023
Simple...

1)  If you know who the user is, and you know what account he created, go to that OU in Active Directory
2)  Right click on it and select Properties
3)  Look on the security tab for this person's name
4)  If you find it, modify the rights so he cannot perform these actions again
5)  If you don't find his name, look for groups on the Security Tab and if there are groups check to see if he is apart of them; if he is, remove him.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39995762
A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:


1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

Note instead of group you can select user and assign the permission on domain or OU as per requirement.

More see below links
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question