User Delegation of Control in Server 2008 R2 Active Directory

sedberg1 used Ask the Experts™
I'm trying to delegate permissions to a help desk group so they can create new users and modify particular groups.  My OU structure looks like this:

- Admins OU
- Admins OU/Tech Support OU - actual users for helpdesk group, everyone is part of helpdesk group
- Admins OU/Groups OU - contains the helpdesk security group
- Accounting OU
- Accounting OU/Users OU - actual accounting users, everyone is part of acctgusers security group
- Accounting OU/Groups OU - contains the acctgusers group

So, I right-clicked the Accounting OU/Users OU, added the HELPDESK group to give them:

- Create,delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Modify the membership of a group

That let the HELPDESK group create users, delete them and reset passwords which is what I wanted, but they couldn't join accounting users to the ACCTGUSERS group.  So, I went to the Accounting OU/Groups OU, right-clicked it to delegate control and chose:

- Modify the membership of a group

That allowed me to accomplish what I needed.  However, now the HELPDESK group can go into the ACCTGUSERS group and add ANYONE they want, including domain admins and user accounts from OUs that they should not be able to edit.

Is there a way to allow the HELPDESK sec group to only let users in the Accounting OU be added to the ACCTGUSERS group?

Running 2008 R2 forest/domain levels.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Once you give them access to edit the group they can select anyone in the domain.  You could play with taking read access away from those other users but then they couldn't help those users.

I'll see if I come up with anything but might not be easy to do.


Neil RussellTechnical Development Lead

You can not have such a restriction in active directory, it does not exist.
You can not define WHAT users can be added to WHAT Groups. A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see.



"A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see."

What do you mean by this?  How would I take away their permission to see another OU?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Adding members to a group doesn't acutally modify "Domain Admins" or the user object added to the group, rather, a backlink is calculated dynamically (which gives you memberOf), so if you give a user the permission to manage a group, they can add anyone, at any time.  

You cannot change this behavior.
You could do it with an extra layer of abstraction between AD and the helpdesk where the abstraction layer is able to accept filters.

I trialled this with a client a few years ago, they didn't use it, but it might suit you


Quest Active Roles can do the same thing but is OUTRAGEOUSLY expensive.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial