The only way I can think of to dis-allow copying of users would be to modify (somehow) the ADU&C "copy" function (i.e. the context menu). Extending ADU&C isn't hard (to add new right-click options - we've done that) but I'm not sure if that same method could be used to disable (essentially "break") that copy function (as it may be considered a "built in" function).
Here is article that discusses how to extend the context menu of AD U&C - maybe that will give you a starting point on where to look... http://www.petri.co.il/add_unlock_user_option_to_dsa.htm Good luck! P.S. Word of warning: If you extend the context menu of AD U&C...non-optimally - everyone who runs ADU&C will see that new context menu - but it won't work (so you may get more help desk calls!). The "correct" way to extend the ADU&C MMC would involve writing a DLL and the registering it on machines (somewhat like the 'additional account info') - thereby making that extension only appear on machines where it will actually work (we did NOT do this - so everyone sees our new context menu - but only people who have the VB script installed on their machine can actually use it). I'm not sure how (writing the DLL and registering it) that would be done (I don't code at that level). I know someone at Microsoft does! :) PPS. It maybe that you can "break" the copy function by updating the context menu (in the schema) related to the 'copy' function to call a non-existent VB script. -----Original Message----- From: Aaron Horn [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 4:20 PM To: Active Directory Admin Issues Subject: RE: Disallowing "copy user" in AD To us, there isn't really a benefit between a basic setting and setting up a new user from scratch. I want the ability to make it impossible for the Techs to copy the user because inevitably, I'll have a few of my guys leave over the next few years and I'll bring on a few new guys and the policy of never copying a user will not get communicated to them and they'll copy a user and that person will get access they shouldn't have. I'd like to make it so that someone setting up a new user isn't able to copy a user at all, whether it be because they forgot or because they didn't know our internal policy. That way, there are no mistakes that lead to security breaches in our folder security. In the last two years, it has happened 3 times where someone had permissions they shouldn't because their account was copied from someone else and inherited permissions they shouldn't have had. Mistakes happen, but I'd like to be able to technically make it harder for that to happen. I hope that makes sense. Thanks! Aaron -----Original Message----- From: Thomas Nilsen [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 2:59 PM To: Active Directory Admin Issues Subject: RE: Disallowing "copy user" in AD Not sure if you can disable copy user function, but why not just set up a disabled dummy account as a template with the most basic settings and allow your helpdesk techs to copy from that user only? Regards, Thomas >-----Original Message----- >From: Aaron [mailto:[EMAIL PROTECTED] >Sent: Thursday, May 29, 2008 9:22 PM >To: Active Directory Admin Issues >Subject: Disallowing "copy user" in AD > > >We have had problems with Help Desk techs "copying" a user in Active >Directory to set up a new user that is very similar in roles to an >existing user. However, they don't always look over the Memberships >closely enough and sometimes an employee that was "copied" from an >existing employee in AD had permissions they shouldn't. I have put in >a new policy that copying a user in AD is no longer allowed and that >all new users must be setup from scratch. Is there a way to enforce >this in AD? I would like for the Help Desk to be able to >create new users, delete users, edit users, just not copy >users. Can this be done? >~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in >eWEEK Test! ~ > ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ > DISCLAIMER: This message contains information that may be privileged or confidential and is the property of the Roxar Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorised to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
