abantaMemberJun 07, 2018 at 7:04 pm #167580
I’ve been working on this for the past two days and searching nonstop for a solution to this for the past 6 hours. Either the answer is hidden extremely well, or I just can’t find it… and being frustrated with the situation doesn’t help so any advicehelp would be greatly appreciated.
I have an admin user (lets call him John Doe) who needs the ability to adddeletemanage all user accounts (including managing group membership) in the domain but I need to limit his permissions to exclude him from adding his account to any higher permission level groups, e.g. Domain Admins.
I have tried to delegate control over the needed OU, but that allows, not deny. I used that and went back into the OU and switched it to deny, but no dice. I can manually specify a deny entry on a group for the “Write Members” attribute, but that will prevent them from adding another user when needed.
I’ve tried to an explicit deny “write group membership” for “SELF” on jdoe, and for “JDOE” itself, on the group, and on the OU and nothing will take.
I’m completely lost. As stated earlier, I can’t find any reference anywhere on which specific attributes are required for this (or any situation at all for that matter). The attributes can be extremely vague when looking at them and apparently everyone is just supposed to “know” which specific attributes control which specific permissions without any direction from Microsoft whatsoever. (This is just one of the many situations I’m dealing with)
Any ideas on where to look or how to implement this? (or any other granular AD permissions)
You must be logged in to reply to this topic.