Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

How to remove user from Domain Users AD group

1

Trying to setup a restricted account to be used for a Workspace. Don't want this account to have Domain User membership. Would prefer to put the user account in the Domain Guests group. AWS Directory Services does not let me remove the Domain User group membership or add the user to Domain Guest.

What is the correct way to setup a restricted account?

Sujets
Sécurité, identité et conformité
Balises
Service de répertoire AWS
Langue
English
demandé il y a 6 mois127 vues
2 réponses
0

Yes its not possible to remove Domain Users or add users to Domain Guests on AWS DS. I think the only way to restrict a workspace user is going to be moving them into a separate OU and apply group policies to lockdown any actions you don't want them to be able to do.

répondu il y a 6 mois
  • ChrisW
    il y a 6 mois

    That's disappointing. Based on the current structure, I don't think it will be possible to use GPO to lock it down. The Domain User group has permissions to most file share areas on all the servers. Looks like I'll need to attack this from the other side. Replace the Domain Users group on all the folder/file permissions with a group we can actually control and basically neuter the Domain Users group. Not a trivial undertaking.

0

AD users are assigned to a Primary Group. You must have one. Users can not be groupless. By default the primary group property is set to "Domain Users". Therefore to remove a user from Domain Users you must first assign them to a new primary group. For example:

Add-ADGroupMember -Identity 'New Group' -Members Joe
$PrimaryGroupToken = (Get-AdGroup 'New Group' -Properties PrimaryGroupToken).PrimaryGroupToken
Set-AdUser Joe -Replace @{PrimaryGroupId=$PrimaryGroupToken}
Remove-ADGroupMember -Identity 'Domain Users' -Members Joe -Confirm:$False
AWS
répondu il y a 6 mois
  • ChrisW
    il y a 6 mois

    Correct. I had tried creating a Restricted Users group in our tenant OU, added it to the user account, and promoted it to be primary. That's not the issue. When trying to delete Domain Users either through the console or PowerShell, I get insufficient rights (Remove-ADGroupMember : Insufficient access rights to perform the operation). This is probably due to the Domain groups being outside our tenant OU which makes them read only. It's a security thing but very poor design which limits us. I think I'm back to my original workaround and will have to strip and replace all the Domain Users permission assignments on all the servers and replace with a group that I create in our OU. I wish I had realized this limitation earlier before deploying the servers.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents