locked
GPO for adding user to active directory RRS feed

  • Question

  • I'm attempting to add a new GPO to one of the Active Directory groups which will enable that group to add a user to AD. However, I cannot find which option I need to grant in the group policy management editor. Could someone please point me in the right direction?
    Tuesday, June 1, 2010 7:47 PM

Answers

  • Hi,

    Thanks for the post.

    We could use Delegate Administration Wizard to enable that group to add a user to AD.

    Open the Active Directory Users and Computers snap-in to MMC. Right-click an organizational unit and select Delegate Control . This wizard sets up user group permissions to administer organizational units containing computers and user groups. An example would be the delegated right to create new user accounts.

    Delegating administration

    http://technet.microsoft.com/en-us/library/cc778807(WS.10).aspx

    Note: On July 1<sup>st</sup> we will be making this forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the Management and Windows Power Shell  Forum.

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.

     

    • Marked as answer by Miles Zhang Monday, June 7, 2010 2:04 AM
    Wednesday, June 2, 2010 8:42 AM
  • Hello,

    check out this article about delegating control:

    http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

    Also keep in mind that security groups aren't able to apply GPOs, only user accounts and computer accounts in the OU where the GPO is applied to. What you can use is security filtering on the OU where the user/computer accounts are lcoated:

    http://technet.microsoft.com/en-us/library/cc781988(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Miles Zhang Monday, June 7, 2010 2:04 AM
    Saturday, June 5, 2010 11:30 AM

All replies

  • Hi,

    Thanks for the post.

    We could use Delegate Administration Wizard to enable that group to add a user to AD.

    Open the Active Directory Users and Computers snap-in to MMC. Right-click an organizational unit and select Delegate Control . This wizard sets up user group permissions to administer organizational units containing computers and user groups. An example would be the delegated right to create new user accounts.

    Delegating administration

    http://technet.microsoft.com/en-us/library/cc778807(WS.10).aspx

    Note: On July 1<sup>st</sup> we will be making this forum read only. After receiving a lot of feedback from the community, it was decided that this forum is a duplication and therefore redundant of the Management and Windows Power Shell  Forum.

    Please post a reply to the announcement thread if you have any feedback on this decision or the process. You can also email WSSDComm@microsoft.com.

     

    • Marked as answer by Miles Zhang Monday, June 7, 2010 2:04 AM
    Wednesday, June 2, 2010 8:42 AM
  • Hello,

    check out this article about delegating control:

    http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

    Also keep in mind that security groups aren't able to apply GPOs, only user accounts and computer accounts in the OU where the GPO is applied to. What you can use is security filtering on the OU where the user/computer accounts are lcoated:

    http://technet.microsoft.com/en-us/library/cc781988(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Miles Zhang Monday, June 7, 2010 2:04 AM
    Saturday, June 5, 2010 11:30 AM