Remove From My Forums

AD Permissions - New User Object

Question

0

Sign in to vote

Hi All,

requesting you to plesae share your inputs on;

When New user is created in AD then by default group membership assigned

And Security permissions are allowed to him

-Atul

TheAtulA

Monday, December 12, 2016 11:53 AM

Reply

|

Quote

All replies

1

Sign in to vote
When a user is created they are made a member of the group "Domain Users". This is made their "primary" group. The user has permissions to view/read all objects in Active Directory.

Richard Mueller - MVP Enterprise Mobility (Identity and Access)
- Proposed as answer by Todd Heron Monday, December 12, 2016 1:02 PM
- Edited by Richard MuellerMVP Monday, December 12, 2016 4:32 PM fixed typo
Monday, December 12, 2016 12:03 PM

Reply

|

Quote

0

Sign in to vote

is there any command so I list the permissions output and membership output
TheAtulA

Monday, December 12, 2016 12:05 PM

Reply

|

Quote

0

Sign in to vote
The best tool is Active Directory Users and Computers (ADUC). This is available on any domain controller or any client with RSAT. When you view the properties of a user you can view all group memberships. The "Security" tab shows permissions.

And the Get-ADPrincipalGroupMembership PowerShell AD cmdlet will retrieve all group memberships of a user:

https://technet.microsoft.com/en-us/library/ee617259.aspx

Edit: Here is a VBScript program to output security permissions for a specified user:

https://gallery.technet.microsoft.com/2ca52634-12f8-4bff-b71a-37879178ecf5

Richard Mueller - MVP Enterprise Mobility (Identity and Access)
- Edited by Richard MuellerMVP Monday, December 12, 2016 12:30 PM
- Proposed as answer by Todd Heron Monday, December 12, 2016 1:02 PM
Monday, December 12, 2016 12:17 PM

Reply

|

Quote

0

Sign in to vote

Hi Atul,

is there any command so I list the permissions output

>>>To achieve this, please refer to the article below with dcacls.

Use PowerShell to Explore Active Directory Security

https://blogs.technet.microsoft.com/heyscriptingguy/2012/03/12/use-powershell-to-explore-active-directory-security/

For membership, here is a PowerShell script.

PowerShell: Get All Group-Membership of One User/Multiple Users

https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Get-All-Group-167a9ce7

Best Regards,

Jay
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, December 12, 2016 2:37 PM

Reply

|

Quote

Moderator

1

Sign in to vote

If your question is about reading the default group memberships or security permissions, use PowerShell to read or even export users' data to CSV:

http://stackoverflow.com/questions/5072996/how-to-get-all-groups-that-a-user-is-a-member-of

If you want to change the default permissions, group memberships, etc. you need to adjust your provisioning procedures. Lots of ways to do that. Either create user templates to copy and modify them. Or you can user automation tools that allow to you finely tune which user gets what after account creation. Here's an example:

http://www.adaxes.com/active-directory_provisioning.htm

Wednesday, December 14, 2016 12:18 PM

Reply

|

Quote

0

Sign in to vote

Hi,

Are there any updates?

If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

Thank You.

Best Regards,

Jay
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, December 27, 2016 6:52 AM

Reply

|

Quote

Moderator