0

I have created an active directory security group.

I would like to adjust the security permissions so a group will have the following permissions. The identified group should be able to add computer objects to the security group but should not be able to remove the computer object from the security group.

I am able to adjust the security permissions so that user can add/remove from the security group . I am unable to locate the proper attribute to deny in order to prevent user's from being able to remove computer objects.

Cory Knutson
  • 1,876
  • 13
  • 20
LowFidelity
  • 3
  • 2

2 Answers2

0

You cannot secure the operations separately as there is no difference between an "add" and a "remove"; both operations constitute a write on the members attribute of the object.

Semicolon
  • 1,775
  • 8
  • 7
  • With the proper audit policy in place, you could generate alerts to be sent when a 4729 event (global group member removed) is logged for certain groups on a domain controller. – Clayton Mar 27 '18 at 19:19
0

You can achieve almost the same thing with a scheduled task.

Create 2 groups. The first is the one your already have, and the second should be set so the users in question can not manage the members.

The scheduled task performs these 2 steps in order:

  • Adds members to the second group based on the members that are in the first group.
  • Adds members to the first group based on the members in the second.

So when a member is removed from the first group, the scheduled task adds that member back, because they are in the second group.

To actually remove a member from the group, they must be removed from both groups simultaneously.

longneck
  • 23,082
  • 4
  • 52
  • 86