Active Directory Group Permissioning
-
In order to add users to an AD group, you need to have modify rights over the group. You don't need to have anything but view rights over the user. This means that anyone with rights over a group can add any user they like into this group. Does anyone know of a way to restrict the users who can be added to that group to, for example, users within a particular OU?
-
In order to add users to an AD group, you need to have modify rights over the group. You don't need to have anything but view rights over the user. This means that anyone with rights over a group can add any user they like into this group. Does anyone know of a way to restrict the users who can be added to that group to, for example, users within a particular OU?
-
If the user has been trusted with access to active directory and the group in question then they should be trusted as to which users they add. If they are untrust worthy why let them near it? This is why we have admin's :P
It's not a question of trustworthyness, it's a question of responsibility. Each line of business has its own OU structure and its own support team. Groups are used for permissioning resources. The support team for (for example) Sales should not be able to provide resources to someone in Marketing by adding them into a group that is in the Sales OU. I want to be able to ensure that only a user's own support team can add them into groups that give them access to resources. Unfortunately I don't think it's possible.
-
It's not a question of trustworthyness, it's a question of responsibility. Each line of business has its own OU structure and its own support team. Groups are used for permissioning resources. The support team for (for example) Sales should not be able to provide resources to someone in Marketing by adding them into a group that is in the Sales OU. I want to be able to ensure that only a user's own support team can add them into groups that give them access to resources. Unfortunately I don't think it's possible.