Add techs the right to add users to groups

I have an OU for each site.  Is it possible for a group of technicians to be able to add users that are in these site OUs to groups without being able to add them as Domain Admins or Enterprise Admins?
Who is Participating?
lcitConnect With a Mentor Commented:
On the properties page of the group, click the security tab.  Click "advanced".  Click the Add button and add the techs you want to be able to manage the group and click ok.  Click the properties tab on the permissions box that pops up, and check the "write members" and "read members" allow boxes.
On the properties page of the group, there's a "Managed By" tab.  Add your techs to the manager list, then check the box allowing them to update the member list.  
securitythreatAuthor Commented:
This will only allow one name.  Also, it does not allow groups.  Is there a way around this?  For instance, if I have a group of admins that I want to be able to manage certain groups... that I can ad them?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

lcit's 2nd instructions will suffice for a single group object at a time - if you need to apply this delegation en masse then you can use the Delegation of Control wizard in AD Users & Computers.  Right-click on the OU containing the group objects in question and select Delegate Control.  I believe "modify group membership" is one of the built-in tasks that you can delegate.

To answer your question about delegated techs not being able to add users to elevated groups like DA/EA, simply move the elevated groups in question into a separate OU - I typically place these groups into a separate "Administration" OU for this reason, as I have a number of delegated admins who have control over only the specific groups that I've designated.
securitythreatAuthor Commented:
Laura -

This is fine.  However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?

Icit -

This still limits me to only one user per group.
That's strange.  I added a group with permission over another group and it worked for me.  Does it give you an error when you try to add multiples?
LauraEHunterMVPConnect With a Mentor Commented:
> "However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?"

You are only delegating the right to modify group memberships in a particular OU; this in no way confers the right to move users and/or groups from one OU into another unless you have also delegated those rights separately.  Say you have an OU called "Corp" and an OU called "Administration", containing the following objects:

  - AccountingGroup
  - FinanceGroup
  - JSmith (User)
  - KSmith (User)

  - Domain Admins
  - Enterprise Admins
  - Schema Admins
  - CorpTechs

Delegate control over "CORP" to allow "CORPTECHS" to modify group membership; this will allow members of CorpTechs to modify membership for only the AccountingGroup and FinanceGroup group objects.  As long as you do not delegate permissions over the ADMINISTRATION OU, and as long as you place the CorpTechs group into an OU that members of CorpTechs cannot modify, they will not be able to elevate their privileges in the manner that you are describing.
securitythreatAuthor Commented:
The only fields that are avaliable are "user and Contacts".  As a result, the security group would have to be a distribution group.
securitythreatAuthor Commented:
or a security group with a mailing address
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.