There is no way by which to completely remove this feature, since it is enforced as a single permission on the Active Directory side.
WORKAROUND:
Use Active Roles to create a triggered Workflow which runs whenever a Group is created by the target Users. This Workflow will run an action and clear the Members attribute.
The effect of this Workflow is that users can create a Group and populate it with any accounts, but the populated members are immediately cleared when the Group is saved. Without the permission to Modify Groups, they cannot re-add any members after the Group is created.
This is possible to implement in Active Roles Server 6.7 with a simple PowerShell script.
In Active Roles Server 6.8 and later, this can be very easily implemented with an Update action.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center