Restricted access to group membership in AD 1

[siulong2002]

Hi,

I've created an OU for some restricted accounts that I only want Domain Admins from being able to change.
Service desk and desktop staff should only be able to view details and reset the password.

I have changed the security settings for the OU to Read, Change Password, Reset Password but still they can use add remove group memberships but everything else is 'greyed out'

Has anyone managed to successfully restrict groups from changing membership groups of user accounts?

Many Thanks

 

[TechyMcSe2k]

Create a GPO and set up Restricted Groups and assign that group and the members it should have. And then control access to that GPO to be domain admins only.

http://technet.microsoft.com/en-us/library/cc785631.aspx

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!

 

[Rockstar101]

Sounds like you have it almost done. I would leave it the way you have it but go to the OU you've created and assign delegation for the OU. Do customized delegation and you will have the opportunity to restrict them from creating Groups.

Good luck.