- 최신
- 최다 투표
- 가장 많은 댓글
Yes its not possible to remove Domain Users or add users to Domain Guests on AWS DS. I think the only way to restrict a workspace user is going to be moving them into a separate OU and apply group policies to lockdown any actions you don't want them to be able to do.
AD users are assigned to a Primary Group. You must have one. Users can not be groupless. By default the primary group property is set to "Domain Users". Therefore to remove a user from Domain Users you must first assign them to a new primary group. For example:
Add-ADGroupMember -Identity 'New Group' -Members Joe
$PrimaryGroupToken = (Get-AdGroup 'New Group' -Properties PrimaryGroupToken).PrimaryGroupToken
Set-AdUser Joe -Replace @{PrimaryGroupId=$PrimaryGroupToken}
Remove-ADGroupMember -Identity 'Domain Users' -Members Joe -Confirm:$False
Correct. I had tried creating a Restricted Users group in our tenant OU, added it to the user account, and promoted it to be primary. That's not the issue. When trying to delete Domain Users either through the console or PowerShell, I get insufficient rights (Remove-ADGroupMember : Insufficient access rights to perform the operation). This is probably due to the Domain groups being outside our tenant OU which makes them read only. It's a security thing but very poor design which limits us. I think I'm back to my original workaround and will have to strip and replace all the Domain Users permission assignments on all the servers and replace with a group that I create in our OU. I wish I had realized this limitation earlier before deploying the servers.
That's disappointing. Based on the current structure, I don't think it will be possible to use GPO to lock it down. The Domain User group has permissions to most file share areas on all the servers. Looks like I'll need to attack this from the other side. Replace the Domain Users group on all the folder/file permissions with a group we can actually control and basically neuter the Domain Users group. Not a trivial undertaking.