• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 5850 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deny User Creation

andyslk67
over 7 years ago

Hi I want to prevent helpdesk users creating new users in a particular container...I have created a template with Create User Objects denied (amongst other permissions denied as that did not seem to work) delegated it to a test user on the container in question but still able to create users, i must be missing something really obvious but can't work out what it is, can anyone help please? Thanks, Andy

  • +1 over 7 years ago
    Verify that your users don't have "ARS Admin" privileges as these ignore your delegations and simply grant users all rights that your service or override account has.

    In version 6.x, you can check this by connecting as one of your delegated users in the ARS MMC and right clicking "About" in the topmost ActiveRoles node. In the popup dialog, you will see an entry about "ActiveRoles Admin" and it will say either "Yes" or "No".

    In general, "denies" are a bad practice and can lead to headaches down the road.

    ARS has a "positive access model" where users start with no access (not even read) so you should really take a close look at how you are granting access in the first place. For example, do not apply access templates to the root of your domain but rather, only in the containers where you wish them to apply.

    If you want some users to have user create rights in an OU and some not, create yourself two different role groups for these users and only place the users you want to have create privileges in the group that grants these privileges. Then grant just that role group the create privileges.
  • 0 over 7 years ago
    Cheers JohnnyQuest, yes the helpdesk users are ActiveRoles Server Administrators....ooops thanks for taking the time to reply!
  • 0 over 7 years ago
    You are welcome Andy. 'Glad you got this sorted.

    I would strongly recommend that you review the membership of your ARS Administrators group and if possible, place strict controls on its membership.

    Further to this, I would further make sure you are NOT using the local Administrators group of your ARS server for this purpose. Rather, create a security group in AD and place your desired ARS Admins in that group. This will require a somewhat obscure configuration adjustment to ARS. 'Suggest you open a ticket with Support for assistance with this as I prefer not to discuss this in an open forum.
  • 0 over 7 years ago
    Yes I need to do some more digging and i think a ticket may be required as helpdesk users aren't in the AD group of activeroles server admins but looking down the client sessions all of them are AR server Admins! Thanks again for your help Johnny.