You would need to add the user to another group and set that to the primary group. Then remove them from "Domain Users". Here is powershell example to set the primary group, and you could use remove-adgroupmember to remove "Domain Users".
http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/5f1728cb-20ce-42a7-9b51-1e723bfba031 On Fri, Nov 18, 2011 at 5:29 PM, Graeme Carstairs <[email protected]>wrote: > We have a project in hand that the client is looking for someway to do > either of the following 2 optons for authenticating 3rd party contractors > who need access to the system. > > 1. An authenticaiton database and system that doesnt store the user > accounts in AD and uses an alternative user account system but still has > the capability to allow access as if it was a main AD account to file > shares, applications and even Exchange if requried. > 2. A second domain for the 3rd party contractos with a trust. > 3. Locked down OU, with the accounts not having domain users and was > mentioned but not decided as absolutely must have "authenticated user" > rights. > > I think 3 will be the easiest to manage on going, but the client has > expressed that they would like it to be systematically controlled by the > software and not just left to the people creating accounts in case > something is missed. > > Does that help :) > > Graeme > > > On 18 November 2011 21:51, Rankin, James R <[email protected]> wrote: > >> ** >> I'd love to hear what you need to do that for >> Sent from my SR-71 Blackbird >> ------------------------------ >> *From: * Graeme Carstairs <[email protected]> >> *Date: *Fri, 18 Nov 2011 21:28:04 +0000 >> *To: *NT System Admin Issues<[email protected]> >> *ReplyTo: * "NT System Admin Issues" < >> [email protected]> >> *Subject: *Can you have all members of and OU automatically not be >> members of Domain users >> >> Hi There, >> >> The subject line says it all >> >> We are looking for away to systematically make and OU that if you create >> a user in it, it will have a group say "SecGroup1" as its primary group, >> and not have membership of Domain Users. >> >> The idea is for a specific OU that users created in it, will never be >> members of Domain Users, and even if the membership is added to the user >> once created will be removed, or be unable to be added. >> >> Thanks >> >> Graeme >> >> >> >> >> >> >> -- >> Good news everyone, you have just received an e-mail from me! >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > Good news everyone, you have just received an e-mail from me! > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
