Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Add techs the right to add users to groups

Posted on 2007-11-27
9
Medium Priority
?
197 Views
Last Modified: 2010-03-17
I have an OU for each site.  Is it possible for a group of technicians to be able to add users that are in these site OUs to groups without being able to add them as Domain Admins or Enterprise Admins?
0
Comment
Question by:securitythreat
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Expert Comment

by:lcit
ID: 20357728
On the properties page of the group, there's a "Managed By" tab.  Add your techs to the manager list, then check the box allowing them to update the member list.  
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20357849
This will only allow one name.  Also, it does not allow groups.  Is there a way around this?  For instance, if I have a group of admins that I want to be able to manage certain groups... that I can ad them?
0
 
LVL 2

Accepted Solution

by:
lcit earned 1000 total points
ID: 20357990
On the properties page of the group, click the security tab.  Click "advanced".  Click the Add button and add the techs you want to be able to manage the group and click ok.  Click the properties tab on the permissions box that pops up, and check the "write members" and "read members" allow boxes.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20358224
lcit's 2nd instructions will suffice for a single group object at a time - if you need to apply this delegation en masse then you can use the Delegation of Control wizard in AD Users & Computers.  Right-click on the OU containing the group objects in question and select Delegate Control.  I believe "modify group membership" is one of the built-in tasks that you can delegate.

To answer your question about delegated techs not being able to add users to elevated groups like DA/EA, simply move the elevated groups in question into a separate OU - I typically place these groups into a separate "Administration" OU for this reason, as I have a number of delegated admins who have control over only the specific groups that I've designated.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358278
Laura -

This is fine.  However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?

Icit -

This still limits me to only one user per group.
0
 
LVL 2

Expert Comment

by:lcit
ID: 20358293
That's strange.  I added a group with permission over another group and it worked for me.  Does it give you an error when you try to add multiples?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 1000 total points
ID: 20358321
> "However, if they have group right access in any OU, wouldn't they be able to move themselves or add someone else to the Enterprise Admin Group?"

You are only delegating the right to modify group memberships in a particular OU; this in no way confers the right to move users and/or groups from one OU into another unless you have also delegated those rights separately.  Say you have an OU called "Corp" and an OU called "Administration", containing the following objects:

CORP
  - AccountingGroup
  - FinanceGroup
  - JSmith (User)
  - KSmith (User)

ADMINISTRATION
  - Domain Admins
  - Enterprise Admins
  - Schema Admins
  - CorpTechs

Delegate control over "CORP" to allow "CORPTECHS" to modify group membership; this will allow members of CorpTechs to modify membership for only the AccountingGroup and FinanceGroup group objects.  As long as you do not delegate permissions over the ADMINISTRATION OU, and as long as you place the CorpTechs group into an OU that members of CorpTechs cannot modify, they will not be able to elevate their privileges in the manner that you are describing.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358324
The only fields that are avaliable are "user and Contacts".  As a result, the security group would have to be a distribution group.
0
 
LVL 1

Author Comment

by:securitythreat
ID: 20358330
or a security group with a mailing address
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question