Direkt zum Inhalt
Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post
Über re:Post

How to remove user from Domain Users AD group

1

Trying to setup a restricted account to be used for a Workspace. Don't want this account to have Domain User membership. Would prefer to put the user account in the Domain Guests group. AWS Directory Services does not let me remove the Domain User group membership or add the user to Domain Guest.

What is the correct way to setup a restricted account?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Directory Service
Sprache
English
gefragt vor 6 Monaten131 Aufrufe
2 Antworten
0

Yes its not possible to remove Domain Users or add users to Domain Guests on AWS DS. I think the only way to restrict a workspace user is going to be moving them into a separate OU and apply group policies to lockdown any actions you don't want them to be able to do.

beantwortet vor 6 Monaten
  • ChrisW
    vor 6 Monaten

    That's disappointing. Based on the current structure, I don't think it will be possible to use GPO to lock it down. The Domain User group has permissions to most file share areas on all the servers. Looks like I'll need to attack this from the other side. Replace the Domain Users group on all the folder/file permissions with a group we can actually control and basically neuter the Domain Users group. Not a trivial undertaking.

0

AD users are assigned to a Primary Group. You must have one. Users can not be groupless. By default the primary group property is set to "Domain Users". Therefore to remove a user from Domain Users you must first assign them to a new primary group. For example:

Add-ADGroupMember -Identity 'New Group' -Members Joe
$PrimaryGroupToken = (Get-AdGroup 'New Group' -Properties PrimaryGroupToken).PrimaryGroupToken
Set-AdUser Joe -Replace @{PrimaryGroupId=$PrimaryGroupToken}
Remove-ADGroupMember -Identity 'Domain Users' -Members Joe -Confirm:$False
AWS
beantwortet vor 6 Monaten
  • ChrisW
    vor 6 Monaten

    Correct. I had tried creating a Restricted Users group in our tenant OU, added it to the user account, and promoted it to be primary. That's not the issue. When trying to delete Domain Users either through the console or PowerShell, I get insufficient rights (Remove-ADGroupMember : Insufficient access rights to perform the operation). This is probably due to the Domain groups being outside our tenant OU which makes them read only. It's a security thing but very poor design which limits us. I think I'm back to my original workaround and will have to strip and replace all the Domain Users permission assignments on all the servers and replace with a group that I create in our OU. I wish I had realized this limitation earlier before deploying the servers.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Relevanter Inhalt