Announcement

Collapse
No announcement yet.

Restrict group membership to hierarchy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict group membership to hierarchy

    I have been attempting to find a way to restrict membership of AD security groups to be only members of a specific OU hierarchy.

    An example:

    domain.com
    OUA
    USERA
    OUB
    OUC
    SUBOUA

    USERB
    GROUPA
    USERC

    Hope that diagram isn't too messy. What I would like is a way to make sure that an administrator who has rights over GROUPA would only be able to add USERB and USERC to that group, not USERA - thus enforcing the restriction of group membership to users in the same hierarchy.
    The reason for doing this is that we use groups for permissioning resources, and would like an administrator who supports a particular OU be only able to add users within his OU to the group which allows access to a particular resource.

    As it stands, if you have rights over a group, you can add any user/computer/group object within the domain into that group, which messes up the model of administrative delegation somewhat.

    Any and all suggestions welcomed, thanks.
Working...
X