Deny user permissions to add self to group

Home Forums Microsoft Networking and Management Services Active Directory Deny user permissions to add self to group

This topic contains 5 replies, has 4 voices, and was last updated by  jprice 8 months, 1 week ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author

  • abanta

    I’ve been working on this for the past two days and searching nonstop for a solution to this for the past 6 hours. Either the answer is hidden extremely well, or I just can’t find it… and being frustrated with the situation doesn’t help so any advicehelp would be greatly appreciated.

    I have an admin user (lets call him John Doe) who needs the ability to adddeletemanage all user accounts (including managing group membership) in the domain but I need to limit his permissions to exclude him from adding his account to any higher permission level groups, e.g. Domain Admins.

    I have tried to delegate control over the needed OU, but that allows, not deny. I used that and went back into the OU and switched it to deny, but no dice. I can manually specify a deny entry on a group for the “Write Members” attribute, but that will prevent them from adding another user when needed.

    I’ve tried to an explicit deny “write group membership” for “SELF” on jdoe, and for “JDOE” itself, on the group, and on the OU and nothing will take.

    I’m completely lost. As stated earlier, I can’t find any reference anywhere on which specific attributes are required for this (or any situation at all for that matter). The attributes can be extremely vague when looking at them and apparently everyone is just supposed to “know” which specific attributes control which specific permissions without any direction from Microsoft whatsoever. (This is just one of the many situations I’m dealing with)

    Any ideas on where to look or how to implement this? (or any other granular AD permissions)


    What admin rights does he have?

    Ideally he should have any rights to anything other than whats been delegated to him.

    How are your OU’s set at the moment? Maybe you need to look at changing that to meet your requirements?



    Move your users to OU1 and then assign him delegation rights there? You domain admins group is in the Users OU so there is no delegation on there for him to change the group memberships.

    Does that make sense?


    He has only been delegated full control of users and groups within OU1 with the exception of adding/removing self to a group. He has no other permissions in those two OUs. He is still able to add himself to a group in OU1 regardless of where he resides.

    Ive tried delegating full control of users in OU1 without write membership, and full control of groups in OU2 without add self to group permission and neither one are enforced in any combination.


    How about going with “policies and procedures” plus auditing of AD management events – if he does things he shouldn’t, show him the door


    In a perfect world that would work, but unfortunately at this establishment there are almost no consequences which is why we are trying to prevent a situation rather than react to one.


    So is your Domain Admins group located in OU1 rather than Built-In?? If so remove it and he won’t be able to add himself to it.

    I’m busy this weekend but i could get a quick domain hooked up and test it but i have this very setup working in our system. Each office that has a local IT guy is given full control over the contents of the OU’s for the site they look after.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.