Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

How to remove user from Domain Users AD group

1

Trying to setup a restricted account to be used for a Workspace. Don't want this account to have Domain User membership. Would prefer to put the user account in the Domain Guests group. AWS Directory Services does not let me remove the Domain User group membership or add the user to Domain Guest.

What is the correct way to setup a restricted account?

Temas
Seguridad, identidad y cumplimiento
Etiquetas
AWS Directory Service
Idioma
English
preguntada hace 6 meses127 visualizaciones
2 Respuestas
0

Yes its not possible to remove Domain Users or add users to Domain Guests on AWS DS. I think the only way to restrict a workspace user is going to be moving them into a separate OU and apply group policies to lockdown any actions you don't want them to be able to do.

respondido hace 6 meses
  • ChrisW
    hace 6 meses

    That's disappointing. Based on the current structure, I don't think it will be possible to use GPO to lock it down. The Domain User group has permissions to most file share areas on all the servers. Looks like I'll need to attack this from the other side. Replace the Domain Users group on all the folder/file permissions with a group we can actually control and basically neuter the Domain Users group. Not a trivial undertaking.

0

AD users are assigned to a Primary Group. You must have one. Users can not be groupless. By default the primary group property is set to "Domain Users". Therefore to remove a user from Domain Users you must first assign them to a new primary group. For example:

Add-ADGroupMember -Identity 'New Group' -Members Joe
$PrimaryGroupToken = (Get-AdGroup 'New Group' -Properties PrimaryGroupToken).PrimaryGroupToken
Set-AdUser Joe -Replace @{PrimaryGroupId=$PrimaryGroupToken}
Remove-ADGroupMember -Identity 'Domain Users' -Members Joe -Confirm:$False
AWS
respondido hace 6 meses
  • ChrisW
    hace 6 meses

    Correct. I had tried creating a Restricted Users group in our tenant OU, added it to the user account, and promoted it to be primary. That's not the issue. When trying to delete Domain Users either through the console or PowerShell, I get insufficient rights (Remove-ADGroupMember : Insufficient access rights to perform the operation). This is probably due to the Domain groups being outside our tenant OU which makes them read only. It's a security thing but very poor design which limits us. I think I'm back to my original workaround and will have to strip and replace all the Domain Users permission assignments on all the servers and replace with a group that I create in our OU. I wish I had realized this limitation earlier before deploying the servers.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante