Active Directory What Rights does a User need to create users in AD

We run AD 2008 R2.  I thought only Domain admins had any access rights to pull up ADUC or create and delete users.  We have a user not apart of our Domain admins group but he was able to access ADCU and create a new user. Any ideas how I can find out if hes been delegated access for his OU or what rights groups hes part of that could grant him these permissions?

Thanks
Twhite0909Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:


1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

Note instead of group you can select user and assign the permission on domain or OU as per requirement.

More see below links
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0
 
becraigCommented:
You need the create user permission.
Here is a link of how to view delegated permissions:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Simple...

1)  If you know who the user is, and you know what account he created, go to that OU in Active Directory
2)  Right click on it and select Properties
3)  Look on the security tab for this person's name
4)  If you find it, modify the rights so he cannot perform these actions again
5)  If you don't find his name, look for groups on the Security Tab and if there are groups check to see if he is apart of them; if he is, remove him.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.