Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Adding Users Into Active Directory Groups

Status
Not open for further replies.
jwithi

jwithi

Technical User
Jan 13, 2008
32
GB
Afternoon,

Does anyone know of a webpage or form that our desktop technicians can use to simply add users into Active Directory Groups?

we do not want to give them access to AD and although i know you can restrict what users can do in AD we are not yet able to do this?

Any ideas?
 
Sort by date Sort by votes
There are lots of ways to do this, but all of them would require some programming on the backend using ASP, VB, Perl, or Java, etc. There are also Resource Kit tools (UsrToGrp, for instance)that could be tied into a simple script to accomplish the same thing.

That being said, and no offense intended, because this may just be a policy (albeit a somewhat ridiculous one) at your company, but not using AD as designed to delegate tasks to desktop technicians such as adding users to groups and resetting passwords is bordering on paranoia.
 
Upvote 0 Downvote
I would have to agree. Almost any tool you're going to use is going to require you touching security to keep them out of where they shouldn't be. AD delegation was designed specifically for what you're trying to do.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Thanks for the reply chipk! and no offense taken.

the previous system admin did not really know what he was doing and all the technicians have been given 'Domain Admin' access and most of them do not have a clue how to use AD and what the implications would be if they 'accidentally' did something wrong. eventually we are hoping to take this access off them and then it will alow us to delegate control to them for adding users to specific groups etc...

i have seen various VBScripts that add users to a group but you have to define in the script the users and the groups location in AD, which would cause issues.

ideally i would like something that when run prompts you for a username and a group for that user to be added to.

i will keep on looking but if anyone else has any ideas please let me know.
 
Upvote 0 Downvote
If they have domain admin access now, nothing is stopping them from mangling things. Give them the ADUC snapin and train them. You'll have to train them on either this or whatever 3rd party tool you use. You might as well use what's built in, and design specifically for this purpose.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
you can kind of control your admins by providing them with a MMC console saved to a specific delegated OU. Open MMC, add/remove snap in -add ADUC Then drill down to the OU you want them to manage. Right click on the OU and choose "new window from here". It will open a new MMC with just that OU for management. Then save that MMC file and give it to those who are delegated that responsibility.

Just a thought...:)
 
Upvote 0 Downvote
Remove them from Domain Admins and add them to Account Operators. They will be able to manage all accounts except accounts with elevated privileges.
 
Upvote 0 Downvote
Yep, I agree. As Domain Admins, nothing is stopping them from dropping to a command prompt and running any number of tools to change group membership, including removing everyone from Enterprise Admin, Domain Admin, and Schema Admin groups.

One wrong turn and.....

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
i think we will look at setting up a custom MMC that they can use for now until we sort there permissions out.

Luckily only a few know that they have access to AD and we have caught a few messing with things instead of coming to us.

i would love to take Domain Admins off them but they have had it since before i started and when it was mentioned that it would be removed they threw a bit of a paddy!

they no longer know the Administrators password which is one thing i guess!
 
Upvote 0 Downvote
Irrelevant, as Domain Admins they can go change it. Let them throw a paddy (whatever that is)...remove Domain Admisn from their accounts and sort this out the right way immediately.

If they'll throw a paddy over losing the rights, do you expect them to not go in and try to screw things up for you while they still can?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
Here's an idea. Remove them from Domain Admins, put them in Account Operators and just don't tell them. If they're only doing what they're supposed to do, they won't even notice.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
190
DTGMI
DTGMI
julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
84
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
316
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
132
DrB0b
DrB0b
jamescpp
  • Locked
  • Question
Adding an attribute to ADLDS
Replies
1
Views
119
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top