Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Add techs the right to add users to groups

Posted on 2007-11-27
9
Medium Priority
?
195 Views
Last Modified: 2010-03-17
I have an OU for each site.  Is it possible for a group of technicians to be able to add users that are in these site OUs to groups without being able to add them as Domain Admins or Enterprise Admins?
0
Comment
Question by:securitythreat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Expert Comment

by:lcit
ID: 20357728
On the properties page of the group, there's a "Managed By" tab.  Add your techs to the manager list, then check the box allowing them to update the member list.  
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20357849
This will only allow one name.  Also, it does not allow groups.  Is there a way around this?  For instance, if I have a group of admins that I want to be able to manage certain groups... that I can ad them?
0
 
LVL 2

Accepted Solution

by:
lcit earned 1000 total points
ID: 20357990
On the properties page of the group, click the security tab.  Click "advanced".  Click the Add button and add the techs you want to be able to manage the group and click ok.  Click the properties tab on the permissions box that pops up, and check the "write members" and "read members" allow boxes.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20358224
lcit's 2nd instructions will suffice for a single group object at a time - if you need to apply this delegation en masse then you can use the Delegation of Control wizard in AD Users & Computers.  Right-click on the OU containing the group objects in question and select Delegate Control.  I believe "modify group membership" is one of the built-in tasks that you can delegate.

To answer your question about delegated techs not being able to add users to elevated groups like DA/EA, simply move the elevated groups in question into a separate OU - I typically place these groups into a separate "Administration" OU for this reason, as I have a number of delegated admins who have control over only the specific groups that I've designated.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358278
Laura -

This is fine.  However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?

Icit -

This still limits me to only one user per group.
0
 
LVL 2

Expert Comment

by:lcit
ID: 20358293
That's strange.  I added a group with permission over another group and it worked for me.  Does it give you an error when you try to add multiples?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 1000 total points
ID: 20358321
> "However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?"

You are only delegating the right to modify group memberships in a particular OU; this in no way confers the right to move users and/or groups from one OU into another unless you have also delegated those rights separately.  Say you have an OU called "Corp" and an OU called "Administration", containing the following objects:

CORP
  - AccountingGroup
  - FinanceGroup
  - JSmith (User)
  - KSmith (User)

ADMINISTRATION
  - Domain Admins
  - Enterprise Admins
  - Schema Admins
  - CorpTechs

Delegate control over "CORP" to allow "CORPTECHS" to modify group membership; this will allow members of CorpTechs to modify membership for only the AccountingGroup and FinanceGroup group objects.  As long as you do not delegate permissions over the ADMINISTRATION OU, and as long as you place the CorpTechs group into an OU that members of CorpTechs cannot modify, they will not be able to elevate their privileges in the manner that you are describing.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358324
The only fields that are avaliable are "user and Contacts".  As a result, the security group would have to be a distribution group.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358330
or a security group with a mailing address
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question