Dear good afternoon
I have gitlab 11.7 installed in my environment authenticating in Active Directory, however, when users log in they have the power to create projects and groups, how do I lock this automatically?
To avoid new users to be able to create groups make sure the value of the following option is set to false:
gitlab_rails['gitlab_default_can_create_group'] = false
in the GitLab configuration file (/etc/gitlab/gitlab.rb for an Omnibus installation).
For an existing user you need to go to its profile page: <gitlab_url>/admin/users/<username>/edit and untick the Can create group option.
You need to repeat the operation for each user.
To avoid new users to be able to create projects make sure the value of the option Default projects limit in Admin Area > Settings > Account and limit is set to 0. You can directly access the page with this URL: <gitlab_url>/admin/application_settings.
For an existing user you need to go to its profile page: <gitlab_url>/admin/users/<username>/edit and set the Projects limit option to 0.
You need to repeat the operation for each user.
All GUI operations have to be performed logged in with an administrator account.
I hope I helped you. 
Thanks for the answer.
1 Like
Hi guys, is this just for EE? … I’ve tried it in my docker-compose.yml but my AD users have still group creation enabled after their first login 
This looks to be deprecated: Remove 'gitlab_default_can_create_group' setting (!6819) · Merge requests · GitLab.org / omnibus-gitlab · GitLab I used to use it in /etc/gitlab/gitlab.rb on gitlab-ce so was possible at some point.
I believe the correct way is go into Admin → General → Account and limit
User restrictions
Uncheck “Allow new users to create top-level groups”
Click save
You may wish to check existing users in the system individually to see if that option is enabled for them, or automatically globally disabled across all users. Since it may be possible to override it on a per-user basis.
Hi, maybe you can help and me? How can i avoid SSO users to create projects groups and other? They basically got developer permissions and can create, but i want to block this operation …