Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory What Rights does a User need to create  users in AD

Posted on 2014-04-11
3
Medium Priority
?
1,039 Views
Last Modified: 2014-04-25
We run AD 2008 R2.  I thought only Domain admins had any access rights to pull up ADUC or create and delete users.  We have a user not apart of our Domain admins group but he was able to access ADCU and create a new user. Any ideas how I can find out if hes been delegated access for his OU or what rights groups hes part of that could grant him these permissions?

Thanks
0
Comment
Question by:Twhite0909
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39994624
You need the create user permission.
Here is a link of how to view delegated permissions:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39995023
Simple...

1)  If you know who the user is, and you know what account he created, go to that OU in Active Directory
2)  Right click on it and select Properties
3)  Look on the security tab for this person's name
4)  If you find it, modify the rights so he cannot perform these actions again
5)  If you don't find his name, look for groups on the Security Tab and if there are groups check to see if he is apart of them; if he is, remove him.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 39995762
A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:


1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

Note instead of group you can select user and assign the permission on domain or OU as per requirement.

More see below links
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question