If you would like your users to be able to add and remove users from the groups they manage, then yes. You will need to install the ADMINPAK.MSI from the server c:\Windows\System32. You will also need to enable the management in the group properties themselves. On the Managed By tab, you need to click Change and then select the user. You also need to check Manager can update membership list. It would also be a good practice to create a custom task pad that will allow them to only add and remove user accounts from there group. This ability should only be for users in the OU that contains the group.
With the AD Recycle Bin Turned on, What Happens when you Create a User Account with a Password that does not meet the Password Policy?
This was an interesting observation from one of my Windows Server 2012 classes. While working with the AD Recycle bin in a lab, one of my students discovered some interesting accounts that were created. When he created user accounts that did not meet password complexity requirements, an account is temporarily made and then deleted. When a new password is provided that meets the password requirements, then a new account is made. We discovered this in two places. First off in the Active Directory Administrative Center. This is what caused the initial confusion. Take a look. This is in the Deleted Objects OU. You can see multiple deleted accounts for Test2 and one for Test3. Test3 is a valid, functioning user account. Using the PowerShell command Get-ADObject –IncludeDeletedObjects –Filter * –Properties ObjectSID we can see that indeed, two accounts were created, with one of them deleted. Notice the RID portion of the SID is different. ...
Comments