Solved

Add techs the right to add users to groups

Posted on 2007-11-27
9
193 Views
Last Modified: 2010-03-17
I have an OU for each site.  Is it possible for a group of technicians to be able to add users that are in these site OUs to groups without being able to add them as Domain Admins or Enterprise Admins?
0
Comment
Question by:securitythreat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Expert Comment

by:lcit
ID: 20357728
On the properties page of the group, there's a "Managed By" tab.  Add your techs to the manager list, then check the box allowing them to update the member list.  
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20357849
This will only allow one name.  Also, it does not allow groups.  Is there a way around this?  For instance, if I have a group of admins that I want to be able to manage certain groups... that I can ad them?
0
 
LVL 2

Accepted Solution

by:
lcit earned 250 total points
ID: 20357990
On the properties page of the group, click the security tab.  Click "advanced".  Click the Add button and add the techs you want to be able to manage the group and click ok.  Click the properties tab on the permissions box that pops up, and check the "write members" and "read members" allow boxes.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20358224
lcit's 2nd instructions will suffice for a single group object at a time - if you need to apply this delegation en masse then you can use the Delegation of Control wizard in AD Users & Computers.  Right-click on the OU containing the group objects in question and select Delegate Control.  I believe "modify group membership" is one of the built-in tasks that you can delegate.

To answer your question about delegated techs not being able to add users to elevated groups like DA/EA, simply move the elevated groups in question into a separate OU - I typically place these groups into a separate "Administration" OU for this reason, as I have a number of delegated admins who have control over only the specific groups that I've designated.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358278
Laura -

This is fine.  However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?

Icit -

This still limits me to only one user per group.
0
 
LVL 2

Expert Comment

by:lcit
ID: 20358293
That's strange.  I added a group with permission over another group and it worked for me.  Does it give you an error when you try to add multiples?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 250 total points
ID: 20358321
> "However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?"

You are only delegating the right to modify group memberships in a particular OU; this in no way confers the right to move users and/or groups from one OU into another unless you have also delegated those rights separately.  Say you have an OU called "Corp" and an OU called "Administration", containing the following objects:

CORP
  - AccountingGroup
  - FinanceGroup
  - JSmith (User)
  - KSmith (User)

ADMINISTRATION
  - Domain Admins
  - Enterprise Admins
  - Schema Admins
  - CorpTechs

Delegate control over "CORP" to allow "CORPTECHS" to modify group membership; this will allow members of CorpTechs to modify membership for only the AccountingGroup and FinanceGroup group objects.  As long as you do not delegate permissions over the ADMINISTRATION OU, and as long as you place the CorpTechs group into an OU that members of CorpTechs cannot modify, they will not be able to elevate their privileges in the manner that you are describing.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358324
The only fields that are avaliable are "user and Contacts".  As a result, the security group would have to be a distribution group.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358330
or a security group with a mailing address
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question