Avatar of sedberg1
 asked on

User Delegation of Control in Server 2008 R2 Active Directory

I'm trying to delegate permissions to a help desk group so they can create new users and modify particular groups.  My OU structure looks like this:

- Admins OU
- Admins OU/Tech Support OU - actual users for helpdesk group, everyone is part of helpdesk group
- Admins OU/Groups OU - contains the helpdesk security group
- Accounting OU
- Accounting OU/Users OU - actual accounting users, everyone is part of acctgusers security group
- Accounting OU/Groups OU - contains the acctgusers group

So, I right-clicked the Accounting OU/Users OU, added the HELPDESK group to give them:

- Create,delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Modify the membership of a group

That let the HELPDESK group create users, delete them and reset passwords which is what I wanted, but they couldn't join accounting users to the ACCTGUSERS group.  So, I went to the Accounting OU/Groups OU, right-clicked it to delegate control and chose:

- Modify the membership of a group

That allowed me to accomplish what I needed.  However, now the HELPDESK group can go into the ACCTGUSERS group and add ANYONE they want, including domain admins and user accounts from OUs that they should not be able to edit.

Is there a way to allow the HELPDESK sec group to only let users in the Accounting OU be added to the ACCTGUSERS group?

Running 2008 R2 forest/domain levels.
Windows Server 2008Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon
Mike Kline

Once you give them access to edit the group they can select anyone in the domain.  You could play with taking read access away from those other users but then they couldn't help those users.

I'll see if I come up with anything but might not be easy to do.


Neil Russell

You can not have such a restriction in active directory, it does not exist.
You can not define WHAT users can be added to WHAT Groups. A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see.


"A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see."

What do you mean by this?  How would I take away their permission to see another OU?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Tony Massa

Adding members to a group doesn't acutally modify "Domain Admins" or the user object added to the group, rather, a backlink is calculated dynamically (which gives you memberOf), so if you give a user the permission to manage a group, they can add anyone, at any time.  

You cannot change this behavior.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Quest Active Roles can do the same thing but is OUTRAGEOUSLY expensive.