Solved

Active Directory What Rights does a User need to create  users in AD

Posted on 2014-04-11
3
798 Views
Last Modified: 2014-04-25
We run AD 2008 R2.  I thought only Domain admins had any access rights to pull up ADUC or create and delete users.  We have a user not apart of our Domain admins group but he was able to access ADCU and create a new user. Any ideas how I can find out if hes been delegated access for his OU or what rights groups hes part of that could grant him these permissions?

Thanks
0
Comment
Question by:Twhite0909
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39994624
You need the create user permission.
Here is a link of how to view delegated permissions:
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39995023
Simple...

1)  If you know who the user is, and you know what account he created, go to that OU in Active Directory
2)  Right click on it and select Properties
3)  Look on the security tab for this person's name
4)  If you find it, modify the rights so he cannot perform these actions again
5)  If you don't find his name, look for groups on the Security Tab and if there are groups check to see if he is apart of them; if he is, remove him.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39995762
A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:


1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

Note instead of group you can select user and assign the permission on domain or OU as per requirement.

More see below links
http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question