Link to home
Start Free TrialLog in
Avatar of sedberg1

asked on

User Delegation of Control in Server 2008 R2 Active Directory

I'm trying to delegate permissions to a help desk group so they can create new users and modify particular groups.  My OU structure looks like this:

- Admins OU
- Admins OU/Tech Support OU - actual users for helpdesk group, everyone is part of helpdesk group
- Admins OU/Groups OU - contains the helpdesk security group
- Accounting OU
- Accounting OU/Users OU - actual accounting users, everyone is part of acctgusers security group
- Accounting OU/Groups OU - contains the acctgusers group

So, I right-clicked the Accounting OU/Users OU, added the HELPDESK group to give them:

- Create,delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Modify the membership of a group

That let the HELPDESK group create users, delete them and reset passwords which is what I wanted, but they couldn't join accounting users to the ACCTGUSERS group.  So, I went to the Accounting OU/Groups OU, right-clicked it to delegate control and chose:

- Modify the membership of a group

That allowed me to accomplish what I needed.  However, now the HELPDESK group can go into the ACCTGUSERS group and add ANYONE they want, including domain admins and user accounts from OUs that they should not be able to edit.

Is there a way to allow the HELPDESK sec group to only let users in the Accounting OU be added to the ACCTGUSERS group?

Running 2008 R2 forest/domain levels.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Once you give them access to edit the group they can select anyone in the domain.  You could play with taking read access away from those other users but then they couldn't help those users.

I'll see if I come up with anything but might not be easy to do.


You can not have such a restriction in active directory, it does not exist.
You can not define WHAT users can be added to WHAT Groups. A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see.
Avatar of sedberg1



"A group can contain any OU that is of a valid type and that the HELPDESK person has permission to see."

What do you mean by this?  How would I take away their permission to see another OU?
Adding members to a group doesn't acutally modify "Domain Admins" or the user object added to the group, rather, a backlink is calculated dynamically (which gives you memberOf), so if you give a user the permission to manage a group, they can add anyone, at any time.  

You cannot change this behavior.
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Quest Active Roles can do the same thing but is OUTRAGEOUSLY expensive.