Solved

Add techs the right to add users to groups

Posted on 2007-11-27
9
189 Views
Last Modified: 2010-03-17
I have an OU for each site.  Is it possible for a group of technicians to be able to add users that are in these site OUs to groups without being able to add them as Domain Admins or Enterprise Admins?
0
Comment
Question by:securitythreat
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Expert Comment

by:lcit
Comment Utility
On the properties page of the group, there's a "Managed By" tab.  Add your techs to the manager list, then check the box allowing them to update the member list.  
0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
This will only allow one name.  Also, it does not allow groups.  Is there a way around this?  For instance, if I have a group of admins that I want to be able to manage certain groups... that I can ad them?
0
 
LVL 2

Accepted Solution

by:
lcit earned 250 total points
Comment Utility
On the properties page of the group, click the security tab.  Click "advanced".  Click the Add button and add the techs you want to be able to manage the group and click ok.  Click the properties tab on the permissions box that pops up, and check the "write members" and "read members" allow boxes.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
lcit's 2nd instructions will suffice for a single group object at a time - if you need to apply this delegation en masse then you can use the Delegation of Control wizard in AD Users & Computers.  Right-click on the OU containing the group objects in question and select Delegate Control.  I believe "modify group membership" is one of the built-in tasks that you can delegate.

To answer your question about delegated techs not being able to add users to elevated groups like DA/EA, simply move the elevated groups in question into a separate OU - I typically place these groups into a separate "Administration" OU for this reason, as I have a number of delegated admins who have control over only the specific groups that I've designated.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:securitythreat
Comment Utility
Laura -

This is fine.  However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?

Icit -

This still limits me to only one user per group.
0
 
LVL 2

Expert Comment

by:lcit
Comment Utility
That's strange.  I added a group with permission over another group and it worked for me.  Does it give you an error when you try to add multiples?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 250 total points
Comment Utility
> "However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?"

You are only delegating the right to modify group memberships in a particular OU; this in no way confers the right to move users and/or groups from one OU into another unless you have also delegated those rights separately.  Say you have an OU called "Corp" and an OU called "Administration", containing the following objects:

CORP
  - AccountingGroup
  - FinanceGroup
  - JSmith (User)
  - KSmith (User)

ADMINISTRATION
  - Domain Admins
  - Enterprise Admins
  - Schema Admins
  - CorpTechs

Delegate control over "CORP" to allow "CORPTECHS" to modify group membership; this will allow members of CorpTechs to modify membership for only the AccountingGroup and FinanceGroup group objects.  As long as you do not delegate permissions over the ADMINISTRATION OU, and as long as you place the CorpTechs group into an OU that members of CorpTechs cannot modify, they will not be able to elevate their privileges in the manner that you are describing.
0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
The only fields that are avaliable are "user and Contacts".  As a result, the security group would have to be a distribution group.
0
 
LVL 1

Author Comment

by:securitythreat
Comment Utility
or a security group with a mailing address
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now