Remove Member Of

Hi Team. 

I am just looking for suggestions on overcoming a minor issue. 

Let's say I have the following. 

UserA and UserA is a member of GroupA

We have a secure T0 area in our AD, and we have not allowed anyone in GroupA to change the accounts that are in T0. However, because UserA can add members to groups outside of T0, they also seem to be able to add T0 accounts to the groups. 

Is there a way to deny Add on Member of for accounts in a certain OU if the person making the change is in GroupA

Thanks in advance 

  • Think i have it unless there is a better way. 

    So if I Deny Read \ Write to the Member of attribute on the user account, then it works. The person can still go through the process of adding a group, but as soon as they click apply, the change is not saved. Is this the best way or is there something better? 

  • Actually, not quite. Deny Read \ Write means I cant see the groups the account is a member of. If I allow Read but Deny write, I can still add and remove a user to a group. 

    I just need to be able to see the group membership of an account but stop being able to add the account to a group

Reply Children
No Data