Announcement

Collapse
No announcement yet.

Can I create conflicting groups in Active Directory?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can I create conflicting groups in Active Directory?

    Hello!!
    I'm wondering whether it is possible to create conflicting/contradicting groups, for example

    SEC-Admins
    SEC-NonAdmins

    Then somehow, if user Mark.Davies was already a member of SEC-Admins and somebody tries to add the user to SEC-NonAdmins then you get a message saying that the "user is already in a conflicting group" or something like that?

    Would be very handy.

    Any ideas?

    Thanks a lot
    Mark

  • #2
    I don't think so - AD doesn't work that way
    You would create the two groups, apply allow permissions to one and deny to the other, then the deny would beat the allow, but AFAIK no way natively of preventing a user being added to both groups.

    Of course, a scheduled script that trawled through group memberships would get part way there...
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      This isn't something that's built in, but you could certainly have a Powershell task which runs on a tight schedule to monitor memberships. this task can be written to remove people added to conflicting groups, send notification, add an auditing event. The possibilities are limited only by your imagination
      Rules of life:
      1. Never do anything that requires thinking after 2:30 PM
      2. Simplicity is godliness
      3. Scale with extreme prejudice


      I occasionally post using a savantphone, so please don't laugh too hard at the typos...

      Comment

      Working...
      X