Announcement

Collapse
No announcement yet.

Stop an AD Group being added to another AD Group- Possible?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stop an AD Group being added to another AD Group- Possible?

    Hi All and thanks for taking the time to read my question.

    I have a Windows 2003 Native Domain.

    I have been asked whether it is possible to ensure that a single AD group cannot be added to any another AD group.

    After playing with the security on a test global group called TEST1, I have managed to stop any AD object being added via the memberOf tab on the TEST1 group properties by changing the Write and Read MemberOf attributes. But if I go to another group, lets say TEST2, I can easily add TEST1 as a member.

    Is it possible to stop TEST1 being added to any other group via the Members tab?

    TIA

    CooLix

  • #2
    Re: Stop an AD Group being added to another AD Group- Possible?

    you could use Restricted Groups GPO.

    However, you ned to be very careful with it.

    and ultimately, even if you can prevent Group1 from being a member of Group2, If you make group3 a member of Group2, and then group1 a member of group3.. it'd still be the same aim
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Stop an AD Group being added to another AD Group- Possible?

      Cheers for the reply.

      Restricted groups GPO would only control members of TEST1 group and can also ensure it is a member of another group. i.e set TEST1 to be always a member of TEST2 group.

      It won't control group membership with the aim of removing it out of a groups it isn't meant to be in.

      Cheers

      Coolix

      Comment


      • #4
        Re: Stop an AD Group being added to another AD Group- Possible?

        but that's what restricted groups does..

        if you say, GroupA is a restricited group, and only these groups can be a member:

        Group D, Group E, Group F

        and then you try and add GroupB, it will actually remove GroupB

        If you add GroupB to GroupD though, it won't remove it.. you'd need to then restrict membership to the groups that may belong to this one.


        I'm a bit confused as to what we're actually trying to acheive.. can't you just add some info in your config database, stating that group B cannot belong to groupA, even if it's nested ?
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment

        Working...
        X