Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricted access to group membership in AD 1

Status
Not open for further replies.

siulong2002

Programmer
Jan 15, 2003
38
GB
Hi,

I've created an OU for some restricted accounts that I only want Domain Admins from being able to change.
Service desk and desktop staff should only be able to view details and reset the password.

I have changed the security settings for the OU to Read, Change Password, Reset Password but still they can use add remove group memberships but everything else is 'greyed out'

Has anyone managed to successfully restrict groups from changing membership groups of user accounts?

Many Thanks
 
Create a GPO and set up Restricted Groups and assign that group and the members it should have. And then control access to that GPO to be domain admins only.


________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!
 
Sounds like you have it almost done. I would leave it the way you have it but go to the OU you've created and assign delegation for the OU. Do customized delegation and you will have the opportunity to restrict them from creating Groups.

Good luck.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top