Active Directory Group Administrator
Posted on 2012-04-09
This is probably an easy one. Basically, I want to know why something is happening. Specifically, I have 3 containers.
I have a container admin for Container A, and a container admin for Container B. Neither container admin A or B has rights to any object in Container Special. Also, container admin A cannot add/modify/delete objects in Container B and vice versa.
So, I want to allow both container admin A and container admin B to add/delete users from only one specific group under Container Special. This seems easy enough and I grant the Container A and B admin groups access to just this one group (pretty much full control to just the one group object, not descendant objects or anything else).
Everything works as expected except for one thing. Container admin A can add users from Container B into this group under Container Special (and Container admin B can add user from Container A).
I can understand how the members attribute for the group object in the special container can be updated by either admin A or B (they have full rights to the group). Where my brain fails today is why/how they are allowed to update the memberof attribute for a user they don't have rights to?
I have a feeling this is just the way it works, but I'm curious as to why. Any light that can be shed on this would be helpful.